The Hungarian data protection authority (NAIH) has recently issued a decision on whether the consent of customers was required for a selling company to be able to transfer a database containing customer details or whether notice of the transfer was sufficient (Decision). This is the first time this issue has been addressed in Hungary.
The NAIH confirmed it was possible to transfer such an asset without the consent of the data subject, subject to the guidance set out in the Decision including:
- Setting out the data processing related tasks in the SPA;
- Carrying out a balancing exercise;
- Notify the customer of the outcome of the balancing exercise;
- Giving the customer a right to object; and
- Complying with data retention requirements.
A copy of the Decision is available here (Hungarian).
What action could be taken to manage risks that may arise from this development?
Companies should ensure that they comply with the guidance set out in the Decision should it be a party to an asset transfer involving personal data.