We recently reported on the draft bill containing important amendments to the Hungarian General Data Protection Act (Act 112 of 2011 on Informational Self-determination and Freedom of Information, the "Info Act"): on 30 June, the government approved the bill and asked the Hungarian parliament to pass the bill in the course of an extraordinary procedure, on 6 July the parliament voted passed the bill, on 11 July the President of the Republic signed it, and on 13 July it was published in issue 102 of 2015 of the Hungarian Official Gazette.

The new act, the full name of which is Act 129 of 2015 on Amendments to the Act 112 of 2011 on Informational Self-determination and Freedom of Information and Further Acts, contains significant amendments to the Info Act, including introducing Binding Corporate Rules (BCRs) to Hungarian law, a general obligation for all businesses to maintain an internal register of data breaches, and also increases in fines. These amendments will come into effect on 1 October 2015.

We present below a summary of the new provisions based on the final wording of the new act.

Binding Corporate Rules (BCRs)

The Hungarian data protection legislation has without provisions on BCRs for decades, so it was unclear whether BCRs can be used in Hungary to ensure an adequate level of protection in cross-border data transfers. The prevailing approach, also confirmed by the Hungarian data protection regulator, the Hungarian Authority for Data Protection and Freedom of Information (NAIH), was that the lack of legal provisions means that these cannot be accepted in Hungary. The new act introduces the missing provisions to the Info Act enabling businesses to rely on BCRs in Hungary.

As of 1 October 2015, the new provisions will allow international companies already using BCRs (in Hungarian: "kötelező szervezeti szabályozás") in other EU jurisdictions to extend the scope of their existing BCRs to Hungary, while companies with Hungarian headquarters which could not rely on BCRs in relation to their intra-group data transfers outside the EEA may consider introducing BCRs. In both cases BCRs could be an alternative to data transfers within their corporate group.

NAIH will have the power to approve BCRs, subject to a fee amount, which is currently unknown, as this will be published in a separate ministerial decree. NAIH will have 60 days to decide on approving BCRs and will also publish the name of businesses relying on BCRs on its website.

Requests for the approval of BCRs should contain:

  • General information on the data processing in question:
    • purpose, term, location and legal basis of the data processing
    • source and scope of the data
    • scope of the people affected
    • description of the data transfers (data type, transferee, legal basis)
    • name and address of the data controller(s) and the data processor(s)
    • description of the activities of the data processor(s)
    • description of the data processing technology
    • contact details of the internal data protection officer (if any)

It will not be necessary to provide the above information if the data processing in question was already registered with NAIH; in this case it is sufficient to indicate the registration number obtained earlier from NAIH.

  • Specific information on BCRs
    • draft of the BCRs
    • data certifying the binding nature of the BCRs
    • data showing if the BCRs were already approved in another EEA Member State

The law is silent on mutual recognition, but it does provide that if the BCRs filed with NAIH for approval in Hungary have already been approved by another data protection authority of an EEA Member State, then the controller should also provide NAIH with relevant information in order to verify this. The current text of the law does not contain that in such case NAIH will automatically approve the BCRs, so it would be too early to state that Hungary will be part of the mutual recognition mechanism developed by the Article 29 Working Party to ease the BCR approval process at the Member State level.

The amendments do not contain any transitory provisions regarding BCRs already approved in other EU jurisdictions, so it is currently unclear how such existing BCRs will be treated by NAIH.

The law also contains a significant exception: data controllers who are subject to the Hungarian public information security regulations cannot rely on BCRs. As the latter currently prohibits transfer of public data outside the EEA, it is unclear why it was necessary to apply a double ban, especially as the broad wording of the current provisions could also result in problems in the telco sector, where certain telecommunication infrastructure may be subject to public information security regulations.

Key details on BCRs in Hungary (Q&A based on WP29  National filing requirements for controller BCR table):

  • Do you need to apply before the DPA to obtain a national authorisation of transfers made under BCR?  Yes.
  • Who should apply? The controller.
  • Documents to be provided to the DPA when requesting an authorisation of transfer based on BCR:
    • general information on the data processing in question
    • draft of the BCRs
    • data certifying the binding nature of the BCRs
    • data showing if the BCRs were already approved in another EEA Member State
    • specific applications forms have not yet been published, but it is likely that NAIH will accept the standard WP 29 (WP133) application form or publish similar forms
  • Documents to be publicly disclosed by DPA: NAIH will publish the name of businesses relying on BCRs on its website. However, as the content of the data protection register is public, even though it is not accessible online, it is likely that NAIH will allow access to all relevant information upon the request of a data subject.
  • Timing to get authorisation of transfers based on BCR (when all relevant documents provided): NAIH will have 60 days to make a decision in relation to BCRs.
  • Translation in local language for DPA review: Unclear, but it is unlikely that NAIH will require a Hungarian translation if the language of the BCRs is English. The authorisation will be given in Hungarian.
  • Link to local filing forms: Not available yet, but it is likely that NAIH will accept the standard WP 29 (WP133) application form or publish similar forms. Non-BCR related filing forms are available on the NAIH website (in Hungarian). Filings can also be made online by downloading software developed by NAIH. 
  • Additional requirements: Authorisation by NAIH will be subject to a fee amount which is currently unknown, as this will be published in a separate ministerial decree.
  • Scope of the authorisation granted by the DPA: This is currently unclear but it is likely that an authorisation will be delivered to the controller which applied for the approval (located in Hungary and bound by the BCR-C) and cover all transfers based on these BCR-C.

General obligation to maintain a Data Breach Register

There will be a general obligation on all data controllers to maintain a database of all "data protection incidents" (in Hungarian "adatvédelmi incidens") which are defined as "unlawful processing of personal data by a controller or processor, including but not limited to unauthorised access, alteration, transfer disclosure, deletion or destruction, or accidental destruction or loss".

The purpose of the data breach register is twofold:

  1. it should help data subjects to obtain information on access to their personal data, and
  2. also allow NAIH to carry out investigations. 

Currently only electronic communication providers are subject to data breach obligations, including not only the obligation to maintain a register, but also to report data breaches to the Hungarian Media and Communications Authority (NMHH), and in certain circumstances also to send a notice directly to data subjects. The amendments will not impose additional obligations on telcos.

The new provisions only address the obligation to maintain a register, and are silent on reporting to NAIH or other authorities, and notifying the data subject via direct means. This means that contrary to the telco sector it will not be legally required to notify the regulator and/or data subjects. Of course companies can decide to do so, especially if a data breach is likely to adversely affect the personal data or privacy of the data subject or another individual. It is also likely that NAIH will also encourage this, and if it comes to enforcement actions then it will impose a lower fine amount  on a controller which proactively notified data subjects.

The data breach register should include at least the following information in relation to each data protection incident:

  • scope of personal data affected by the incident
  • group and number of individuals involved
  • date and time of the incident
  • circumstances of the incident 
  • likely consequences of the incident for the affected individuals
  • measures applied to mitigate the possible adverse effects of the incident

It is of utmost importance that the data breach register should not duplicate the personal information itself, but should only contain the above information. This means that it is unlikely that retention of simple log files would comply with the new provisions. The content of the data breach register entries should be kept for at least five years (20 years in the case of sensitive data).

In a nutshell, the new general obligation to maintain a data breach register affects all companies carrying out data processing activities in Hungary. As the obligations are on data controllers they will need to review their existing agreements with third party controllers and processors and implement new provisions requiring reporting of data breaches detected by such third parties, as well as insert new provisions into their standard agreements to meet these obligations. Of course data processors should also consider re-evaluating their existing processes, policies and standard  agreements to be able to respond to their clients' needs. As the obligations will apply from 1 October 2015 there is not much time to get prepared.

Stronger enforcement tools for NAIH - increasing fines

NAIH will be able to establish infringement even if the controller recovered compliance before the end of the investigations. It will also be clearer in which cases NAIH is legally obliged to commence investigations, and in which cases it has the discretion to do so. NAIH will also have more options to publish enforcement decisions.

Since 2012, when the Info Act came into force, the maximum amount of a regulatory fine has been HUF 10 million (approx. EUR 33.3k). As of 1 October, this will be doubled, i.e. NAIH will be able to impose a fine of up to HUF 20 million (approx. EUR 66.6k). 

Freedom of public information provisions

The new law contains amendments on freedom of information provisions. While this affects the public sector, it is worth mentioning that NGOs and watchdogs have strongly criticised the new provisions claiming that it would restrict them in accessing public information, as they will have to pay the costs related to queries. Mr Péterfalvi, President of NAIH, recently expressed that these complaints are exaggerated as NAIH will ensure that access will not be more burdensome and costs related to queries should be set at a low level.

Effective date

The provisions on amended freedom of information provisions came into force on 16 July. All other provisions, including BCRs and the general obligation to maintain a register of data breaches, will come into force on 1 October.