Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The general Hungarian regulatory instruments for the protection of PII are the General Data Protection Regulation (GDPR) and the Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Data Protection Act).

The Data Protection Act was amended in July 2018 to implement the GDPR in Hungary. The Data Protection Act has three building blocks:

  • provisions applying to data processing that are under the scope of the GDPR - these are additional procedural and substantial rules, where the GDPR permits derogation or the application of national laws;
  • provisions applying to data processing operations that fall outside the scope of the GDPR; and
  • provisions applying to data processing for law enforcement, national security and national defence purposes to implement Directive (EU) 2016/680 of the European Parliament and of the Council (Law Enforcement Directive).
Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The authority responsible for overseeing the data protection law is the National Authority for Data Protection and Freedom of Information (the Authority). Mainly, the Authority has the following investigative powers:

  • it may ask for information and request the client to make statements;
  • it may take testimony from witnesses (including interview);
  • it may access all PII and information that is necessary for the performance of its tasks;
  • it may also ask for copies of the PII and information;
  • it may make an on-site visit and may access to equipment used in the course of the data processing; and
  • it may ask for an expert opinion.
Legal obligations of data protection authority

Are there legal obligations on the data protection authority to cooperate with data protection authorities, or is there a mechanism to resolve different approaches?

The Authority is a member of the European Data Protection Board (EDPB) which publishes guidelines to ensure consistency across member states in GDPR interpretation. In regard to issues that are covered by guidelines of the EDPB or WP29 (the predecessor of EDPB), the Authority follows those guidelines.

In the case of cross-border data processing, the Authority suspends the proceeding until the lead supervisory authority makes its statements on taking over the case based on GDPR’s one-stop shop. In such cases, the lead supervisory authority and the Authority must cooperate to find a mutually acceptable solution. If they cannot, the consistency mechanism applies, in which the EDPB may have the final word.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches may lead to sanctions, which depend on the type of the breach.

The most feared sanction is the administrative fine, which may reach €20 million or 4 per cent of the annual turnover (whichever is higher).

The Authority may also impose corrective measures set out under the GDPR such as:

  • issuing reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
  • ordering the controller or the processor to comply with the data subject’s request to exercise his or her rights;
  • ordering the controller or processor to make their processing operations comply with the provisions of the GDPR;
  • ordering the controller to communicate a personal data breach to the data subject;
  • imposing a temporary or definitive limitation (a ban on processing);
  • ordering the rectification or erasure of personal data or restriction of processing;
  • ordering the suspension of data flows to a recipient in a third country or to an international organisation; and
  • withdrawing a certification or ordering the certification body to withdraw a certification.

A breach of data protection laws may also lead to criminal penalties if such a breach is committed for financial gain or if it causes significant detriment for individuals.

The Authority has two kinds of procedures to handle breaches:

  • Investigation: The Authority may start an investigation based on complaint (which may be made by anyone) or ex officio. At the end of the investigation, the Authority may impose an order to remedy the situation. The controller shall remedy the situation within 30 days of receiving the order. In the investigation procedure, the Authority does not impose fines or other corrective measures.
  • Administrative procedure: The administrative procedure may be launched based on complaint (only the concerned data subject may make a complaint) or ex officio. The Authority will launch the administrative procedure ex officio only if (i) in the investigation phase the Authority had imposed an order, but the controller did not remedy the situation within the deadline, or (ii) in the investigation phase the Authority concluded that unlawful processing occurred and based on GDPR rules a fine may be imposed.

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Hungarian data protection laws cover all types of organisations. Exemption applies in the case of individuals processing PII for household purposes, but otherwise any organisation that processes PII will be under the scope of Hungarian data protection laws.

Even when the GDPR does not apply (such as processing of PII by national security or courts), the provisions of the Data Protection Act still apply. In such a case, the Authority will remain the supervisory authority with a limited corrective power to impose a fine, it may go up only to 20 million Hungarian forint. In the case of processing of PII by courts, the processing will be supervised by the courts (not the Authority).

As these exemptions are rare, we will focus only on processes that fall under the scope of the GDPR.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The GDPR and the Data Protection Act cover these areas together with specific Hungarian national legislations such as:

  • in the case of interception of communications: Act XC of 2017 on Criminal Procedure and Act C of 2003 on Electronic Communications;
  • in the case of electronic marketing: Act XLVIII of 2008 on Commercial Advertisement and Act CVIII of 2001 on Electronic Commerce; and
  • in the case of monitoring and surveillance of individuals: Act CXXXIII of 2005 on Private Security and the Activities of Private Investigators and dozens of other acts depending on which area the surveillance of individuals takes place (such as surveillance in streets, in stadiums, or in vehicles).
Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Apart from the general data protection framework, there are separate legislations for sector-based data protection rules, including areas such as marketing, financial sector, e-commerce, employment, healthcare and CCTV. In April 2019, the Hungarian parliament adopted a new GDPR implementation package amending 86 sector-based laws.

PII formats

What forms of PII are covered by the law?

The Hungarian lawmaker extended the material scope of the GDPR. The Hungarian data protection law covers all forms of PII: not just electronic records, but also manual data processing and - unlike other countries - even the case when the PII does not form a part of a filing system or does not intend to form part of a filing system.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

Hungarian data protection laws apply even to controllers and processors of PII established or operating outside of Hungary if:

  • the controller’s main establishment is located in Hungary; or the controller’s only place of business within the EU is in Hungary; or
  • the controller’s main establishment is not located in Hungary or the controller’s only place of business within the European Union is not in Hungary, but the controller’s or its processor(s)’s data-processing operation(s) relate to:
    • the offering of goods or services to data subjects located in Hungary, irrespective of whether a payment of the data subject is required; or
    • the monitoring of data subjects’ behaviour that occurs in Hungary.
Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

All processing (except processing by individuals for household purposes) and all operation on the PII (such as collection, storage, disclosure, etc) are covered by Hungarian data protection laws.

A distinction is made between the controller who determines the purpose and the means of the data processing and the processor who merely executes the decisions of the controller and processes the PII on behalf of the controller. The processor is not entitled to make any decision on the merits concerning the data processing.

Under Hungarian data protection practice, it is not relevant who owns the PII, the controller may be even an entity that does not access the PII, if it makes the decision on processing of PII.

The controller is primarily responsible for the lawfulness of data processing. However, some obligations directly apply to processors (such as taking appropriate data security measures) and they may be directly liable if they breached such obligations.

Legitimate processing of PII

Legitimate processing – grounds

Does the law require that the holding of PII be legitimised on specific grounds, for example to meet the owner’s legal obligations or if the individual has provided consent?

There must be a specific ground on which the controller may hold PII. As a general rule, six legal grounds exist:

  • the data subject’s consent;
  • necessity for the performance of a contract (to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract);
  • necessity for compliance with a legal obligation to which the controller is subject (Data Protection Act adds that such legal obligation must be set out in an act of parliament or a municipal decree);
  • necessity to protect the vital interests of the data subject or of another natural person;
  • necessity for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
  • necessity for the purposes of the legitimate interests of the controller or by a third party.

The Authority argues that, in the case of holding PII, apart from having one of the six above legal grounds, the controller must also check whether one of the conditions of article 9 of the GDPR applies (eg, the data subject needs to give explicit consent or the processing needs to be necessary to exercise or defend legal claims).

Legitimate processing – types of PII

Does the law impose more stringent rules for specific types of PII?

Apart from the general rules for holding sensitive PII (see question 11), Hungarian law restricts the processing of certain sensitive PII. The most relevant restrictions are the following:

  • Health data may be processed only based on consent of the data subject or if the controller is authorised to process the data based on the authorisation of Act XLVII of 1997 on processing of health data and for the purposes defined in the act.
  • Employees’ biometric data may be processed for identification purposes under limited conditions (eg, unauthorised access would lead to threat to life or health).
  • Employees’ or job applicants’ criminal data may be processed for vetting purposes only if the applicable Hungarian legislation authorises it or if it is necessary to protect the employer’s significant financial interests, or to protect secret information (set by law), or to protect some other specific legitimate interests of the employer (such as storage of firearms or chemical materials).

Data handling responsibilities of owners of PII

Notification

Does the law require owners of PII to notify individuals whose PII they hold? What must the notice contain and when must it be provided?

The GDPR applies directly. Controllers must notify data subjects whose PII they hold. The notice must contain the elements of article 13 of the GDPR (if PII is obtained from data subjects) or article 14 of the GDPR (if PII is not obtained from data subjects).

The Authority takes a granular approach as it requires detailed notice about elements of article 13 or 14 of the GPDR on the purpose level. This means that the controller must first specify the purpose as precisely as possible (see question 18) and then all the relevant information for each data processing purpose must be provided.

As a general rule, the notice must be provided at the time the PII is collected from the data subject or (if the PII is not directly collected from the data subject) within a maximum of one month after obtaining the PII.

Exemption from notification

When is notice not required?

It is not necessary to notify the data subject about the processing of PII if:

  • the data subject already has the information (however, in this case, according to the Authority, the controller must be able to prove that the provision of information has already happened, that all necessary aspects of the data processing has been shared with the data subject and that there have not been changes in the processing);
  • the provision of such information proves impossible or would involve a disproportionate effort;
  • obtaining or disclosure is expressly laid down by the EU or member state law to which the controller is subject and which provides appropriate measures to protect the data subject’s legitimate interests; or
  • when the personal data must remain confidential subject to an obligation of professional secrecy regulated by EU or member state law, including a statutory obligation of secrecy.
Control of use

Must owners of PII offer individuals any degree of choice or control over the use of their information? In which circumstances?

The GDPR applies directly and based on this the individuals may exercise control over their information via requesting access, rectification, erasure of PII, or restriction of their PII or portability of their PII.

The Authority argues that controllers must develop their data processing in a way that individuals have easy control over their PII during the entire life cycle of the processing.

Data accuracy

Does the law impose standards in relation to the quality, currency and accuracy of PII?

PII must be accurate and kept up to date where necessary. Inaccurate PII must be erased or rectified without undue delay. Healthcare is an exemption where the original inaccurate data must be kept in medical records.

Amount and duration of data holding

Does the law restrict the amount of PII that may be held or the length of time it may be held?

The controller may not collect PII that is unnecessary or irrelevant for the purpose (data minimisation) and may hold PII only until it is necessary for the purpose (storage limitation).

If the scope of PII is set by specific national law, then only those PII may be processed. Otherwise, the controller shall decide on its own about the amount of PII but in line with the data minimisation principle.

If the specific national law sets the retention periods, those retention periods shall apply. If such law determines the circumstances of processing (such as the scope of PII and authorised persons) but not the duration of processing, the necessity of processing should be reviewed every three years. In other cases, the controller shall decide on its own about the duration of processing but in line with the storage limitation principle.

Finality principle

Are the purposes for which PII can be used by owners restricted? Has the ‘finality principle’ been adopted?

PII may only be processed for a specified, explicit and legitimate purpose. The Authority adds that the purpose needs to be as specific as possible (eg, ‘marketing’ is incorrect, as it allows different interpretations, ‘sending newsletters’ is correct as it allows only one interpretation). If the data was collected for one purpose, it should not be used for another in principle - however, certain exceptions apply (see question 19).

Use for new purposes

If the finality principle has been adopted, how far does the law allow for PII to be used for new purposes? Are there exceptions or exclusions from the finality principle?

Exceptions apply from the finality principle in the following cases:

  • if the new processing is for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes;
  • if the data subject gave consent to the processing for the different purpose; or
  • if the processing for new purpose is based on such EU or member state law that aims to achieve certain purposes (eg, home security or public safety) and the processing is necessary and proportionate to the purpose.

If none of the above applies, the controller may carry out a compatibility check according to the GDPR rules to check whether the old purpose is compatible with the new one.

Security

Security obligations

What security obligations are imposed on PII owners and service providers that process PII on their behalf?

The GDPR rules apply directly. The controller must implement measures that can prevent personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. When deciding about the appropriate measures, the controller must take into account:

  • the state of the art (as technology evolves constantly);
  • the costs of implementation of the measures;
  • the context of the data processing (such as its nature, scope and purposes of processing); and
  • the associated risks (arising from the data processing) for the rights and freedoms of data subjects.

The burden of deciding what measures are necessary to mitigate the risks is entirely on the controller. But the GDPR itself describes some measures that are advised to be implemented as appropriate:

  • the pseudonymisation and encryption of PII;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to PII in a timely manner in the event of a physical or technical incident; and
  • a process for regularly testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing.

The controller has the responsibility to choose only those processors who provide sufficient guarantees to implement adequate technical and organisational measures, and to achieve this the controller must conclude a data processing agreement.

For organisations falling under the scope of Act L of 2013 on the electronic information security of state and local administrative bodies (Information Security Act) a stricter set of rules apply. Such organisations are placed into categories 1 to 5, depending on the severity of the possible security breach. The categories will require different levels of data security.

Notification of data breach

Does the law include (general or sector-specific) obligations to notify the supervisory authority or individuals of data breaches? If breach notification is not required by law, is it recommended by the supervisory authority?

If a data breach means a risk to the rights and freedoms of natural persons, the controller must report it to the Authority within 72 hours after gaining knowledge of the data breach. The processor should be obliged in the data processing agreement to notify the controller about the breach promptly, so that the controller can meet the 72-hour deadline.

The controller must also notify the affected natural persons if the processing will likely result in a high risk for the rights and freedoms of those people (such as physical, material or non-material damages).

Irrespective of whether the threshold for notification is reached, the controller must document all relevant information about data breaches. It is also advisable to retain any documentation as proof that the data breach has been handled adequately.

Apart from this general regime, there are some Hungarian sector-specific notification rules:

  • providers of electronic communication service must also notify the breach to the Hungarian Telecommunication Authority (first notification within 24 hours, second notification within 72 hours after getting knowledge about the breach); and
  • organisations falling under the scope of the Information Security Act (see question 20) must report security incidents (including data breaches) promptly to the central incident management centre (defined in the Information Security Act).

Internal controls

Data protection officer

Is the appointment of a data protection officer mandatory? What are the data protection officer’s legal responsibilities?

It is not mandatory to appoint a data protection officer unless:

  • the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
  • the core activities of the controller or the processor consist of processing operations which require regular and systematic monitoring of data subjects on a large scale; or
  • the core activities of the controller or the processor consist of processing on large-scale special categories of PII and PII relating to criminal convictions and offences.

The data protection officer’s role is mainly supportive and controlling. The officer has primarily the following responsibilities:

  • to inform and advise the controller or the processor and the employees who carry out processing about their obligations under data protection laws;
  • to monitor compliance with data protection laws (such as collecting information about processing, checking the compliance of processing and issuing recommendations on compliance);
  • to provide advice on the data protection impact assessment and monitor its performance;
  • to cooperate with the supervisory authority;
  • to act as the contact point for the supervisory authority on issues relating to processing; and
  • to assist in maintaining the records of processing (not explicit legal obligation but recommended as best practice).
Record keeping

Are owners or processors of PII required to maintain any internal records or establish internal processes or documentation?

Both controllers and processors are required to maintain the internal records of processing (ROP) under article 30 of the GDPR. An exemption from this obligation applies in case of an organisation employing fewer than 250 persons, but only if:

  • the processing is not occasional (which is rare);
  • the processing does not result in a risk to the rights and freedoms of data subjects; and
  • sensitive PII or PII relating to criminal data is not processed.

ROP gives an overall picture about the data processing of an organisation in terms of compliance and the Authority may start an investigation by asking for it.

As under the accountability principle, the controller must be able to demonstrate compliance with data protection legislation, it is also advisable to implement internal data protection policies as well as other documentation (such as privacy policies, legitimate interest tests and consent forms).

New processing regulations

Are there any obligations in relation to new processing operations?

New processing regulations of the GDPR apply in Hungary. These are as follows:

  • Privacy by design: Controllers must consider the key data protection concern issues such as pseudonymisation or data minimisation via appropriate technical and organisational measures in early stages of the processing (at the time of making the decision on processing) and through the whole life cycle of the data processing.
  • Privacy by default: Controllers must take appropriate measures so that data processing by default is limited only to a strictly necessary extent in particular in terms of the amount of PII collected, the duration of processing and access rights.
  • Privacy impact assessment (PIA): Controllers must undertake a PIA to mitigate the risks arising from high-risk data processing. The Authority published a list of typical cases when a PIA is required (such as large-scale profiling or systematic monitoring). Controllers may decide on the PIA methodology on their own, but the Authority recommends the Hungarian version of the French data protection authority’s PIA software.

Registration and notification

Registration

Are PII owners or processors of PII required to register with the supervisory authority? Are there any exemptions?

Controllers or processors are not required to register their data processing with the Authority. This obligation ceased in Hungary when the GDPR entered into force.

Formalities

What are the formalities for registration?

Not applicable.

Penalties

What are the penalties for a PII owner or processor of PII for failure to make or maintain an entry on the register?

Not applicable.

Refusal of registration

On what grounds may the supervisory authority refuse to allow an entry on the register?

Not applicable.

Public access

Is the register publicly available? How can it be accessed?

As the data protection registry is no longer applicable, it is not publicly available and cannot be accessed.

Effect of registration

Does an entry on the register have any specific legal effect?

As the data protection registry is no longer applicable, the Authority will not make any new entries to it. However, the old entries may have legal effect as the DPA may use the registry in the course of inspection to check whether in practice the data processing of the controller is in line with its previous registrations.

Other transparency duties

Are there any other public transparency duties?

There are other public transparency duties, such as:

  • notification of the Authority about the data protection officer’s contact details; and
  • sector-specific transparency obligations such as the obligation of the employer to disclose its whistle-blower operation on its website or the CCTV operators’ obligation to place an adequate camera sign.

Transfer and disclosure of PII

Transfer of PII

How does the law regulate the transfer of PII to entities that provide outsourced processing services?

The rules on the transfer of PII depend on the qualification of the service provider:

  • If the service provider will act solely based on the transferor’s instructions it will be qualified as a processor. In such case, the transferor must conclude with the service provider a data processing agreement, pursuant to GDPR rules. The data subject must be notified about the essential details of such processor (such as its name, location of processing and type of processing activity).
  • If the service provider decides on some important outsourced function on its own independently it may be qualified as a controller. In such case, transfer of PII must be based on proper legal ground (see question 11) and the data subject must be notified of the details of such transfer.
  • If the service provider decides on some important outsourced function jointly with the transferor, a joint controllership agreement must be concluded and the essence of the agreement must be made available to data subjects.
Restrictions on disclosure

Describe any specific restrictions on the disclosure of PII to other recipients.

Under the Hungarian data protection practice, disclosure of PII (ie, providing access to PII to an indefinite number of persons) is prohibited, unless the data subject gives his or her consent or the PII relates to public affairs (eg, the PII relates to the exercising of a public function of a person, and not his or her private life).

Controllers must make measures that by default the PII is not made accessible without the individual’s intervention to an indefinite number of natural persons and unauthorised disclosure of PII may be qualified as data breach (see question 21).

Cross-border transfer

Is the transfer of PII outside the jurisdiction restricted?

PII may be transferred outside the European Economic Area (EEA) only to countries that provide adequate level of protection according to the decisions of the European Commission (such as Canada or Japan). In the case of other non-EEA countries, the transfer of PII is permitted only if it is based on appropriate data protection safeguards or if any derogation applies.

Safeguards may include the following legal instruments:

  • Model contract approved by the Commission (its fate is uncertain as it is legally challenged);
  • Binding Corporate Rules for transfers within international company groups;
  • Privacy Shield legal framework in case of transfers to the USA (its fate is uncertain, as it is legally challenged);
  • code of conduct officially approved according to GDPR rules;
  • certification mechanism officially approved according to GDPR rules; and
  • individual transfer agreement approved by the Authority.

Derogations may include:

  • the data subject gives his or her explicit consent to the transfer;
  • the transfer is necessary for the performance of the contract with the data subject;
  • the transfer is necessary to protect the vital interests of an individual;
  • the transfer is necessary for public interest;
  • the transfer is necessary for the establishment, exercise or defence of legal claims; and
  • the transfer is approved by the Authority.
Notification of cross-border transfer

Does cross-border transfer of PII require notification to or authorisation from a supervisory authority?

If the cross-border transfer of PII is permitted (see question 34), no further notification to or authorisation from the Authority is required.

Further transfer

If transfers outside the jurisdiction are subject to restriction or authorisation, do these apply equally to transfers to service providers and onwards transfers?

The cross-border transfer rules equally apply to every form of transfer, irrespective of whether it is a controller-controller, a controller-processor or an onward transfer.

Rights of individuals

Access

Do individuals have the right to access their personal information held by PII owners? Describe how this right can be exercised as well as any limitations to this right.

Individuals may ask the controller to obtain a copy of their personal information or to obtain supplementary information about the processing of their personal information.

Individuals do not have to justify why they want to exercise their right to access. However, certain limitations still apply to this right:

  • The controller may request the individual to identify itself if for example the request is submitted orally or in email, but the controller has reasonable doubts about the identity. If the individual does not identify himself or herself, the controller may refuse the request.
  • The controller may request the individual to specify his or her request.
  • The controller may refuse the request if it is manifestly unfounded or excessive (but, according to the Authority, in both cases the controller may not refuse the request if the administrative cost of fulfilling the request is trivial).
  • The right to access may not adversely affect the rights and freedoms of others (eg, PII of other data subjects or trade secrets).
Other rights

Do individuals have other substantive rights?

Individuals have also other substantive rights under the GDPR framework. Individuals may ask for:

  • erasure of the PII in some circumstances (if, for example, the PII is no longer necessary for the purpose);
  • rectification of PII (if the PII is inaccurate or incomplete);
  • restriction of PII, meaning that the controller may only store the PII (if, for example, the PII is no longer necessary for the purpose, but the data subject needs it for legal claims);
  • objection to the processing (if the processing is based on legitimate interest and the data subject’s interest overrides the interest of the controller);
  • portability of their PII (meaning either to receive the PII in a portable format or to direct the controller to transmit the PII to another controller);
  • not being subject to a decision based solely on automated decision making; and
  • damages.
Compensation

Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury to feelings sufficient?

Individuals may claim both material damages covering the actual damage and non-material damages covering injury to feelings. Controllers and processors must be able to prove that the breach of data protection laws has not occurred.

Enforcement

Are these rights exercisable through the judicial system or enforced by the supervisory authority or both?

Individuals may claim damages only in front of the court, but other rights may be enforceable in front of both the Authority and the court.

Exemptions, derogations and restrictions

Further exemptions and restrictions

Does the law include any derogations, exclusions or limitations other than those already described? Describe the relevant provisions.

The Data Protection Act established the possibility of exercising some data subject rights (listed in questions 37 and 38) on behalf of deceased persons. Five years after the death of the data subject, the close relative or the authorised person of the data subject may exercise certain data subject rights under the conditions set out in the Data Protection Act.

Supervision

Judicial review

Can PII owners appeal against orders of the supervisory authority to the courts?

PII owners can appeal against the Authority’s decision in merits to the Budapest Capital Regional Court.

Specific data processing

Internet use

Describe any rules on the use of ‘cookies’ or equivalent technology.

The Authority issued some guidance about using cookies. The most important rules are the following:

  • The user must be informed about the cookies. Practically, a pop-up message should appear during the first visit to the website, which should contain the link in which the full cookie information is accessible.
  • Non-functional cookies, which are not essential for the website operation such as marketing or analytical cookies shall be placed on the user’s device only based on the user’s prior informed and explicit consent.
  • Functional cookies, which are essential for the website’s operation (eg, without them the communication through the website would not work) may be placed on the user’s device without his or her consent, but a legitimate interest test must be conducted to prove that the website operator’s interest to place the cookies is stronger than the user’s privacy interest.
  • The website operator is liable for the third-party cookies on its website, thus it should use only those third-party cookies that it has full knowledge of.
Electronic communications marketing

Describe any rules on marketing by email, fax or telephone.

Under the Advertising Act, sending unsolicited electronic marketing (via email, fax or SMS) is permissible only if the prior, explicit and unambiguous consent of the recipient has been obtained. However, the Authority in its guideline recognised that based on the GDPR, it is permissible to send direct marketing communication if:

  • it is directed to existing clients;
  • it relates to similar products and services;
  • the client has the possibility to opt-out from future communication; and
  • the sender performs and documents the legitimate interest test in which it explains why its business interest overrides the client’s interest.

In the case of voice-to-voice calls, the individual may be called only if he or she has not objected against such communication (eg, there is no § or other mark showing that the person does not wish to receive marketing calls in the relevant publicly available phone directory). In the case of automated calls, the holder of the phone number must give prior explicit consent for the call (eg, in the phone subscription contract).

Cloud services

Describe any rules or regulator guidance on the use of cloud computing services.

There is no specific Hungarian legislation explicitly regulating cloud computing, and the Authority does not have any guidance about it either. Controllers however are advised to adhere to European best practices (such as the WP29’s Opinion on Cloud Computing).

Furthermore, the Central Bank of Hungary (CBH) recently issued new guidance (effective from 1 May 2019) on how financial institutions should use social and public clouds. The guidance, among other things, contains rules on the minimum elements of cloud service agreements, risk analysis, implementation of cloud systems, control mechanisms, exit strategy and notification to the CBH.

Update and trends

Key developments of the past year

Are there any emerging trends or hot topics in international data protection in your jurisdiction?

No updates at this time.