Law and the regulatory authority

Legislative framework

Summarise the legislative framework for the protection of personally identifiable information (PII). Does your jurisdiction have a dedicated data protection law? Is the data protection law in your jurisdiction based on any international instruments on privacy or data protection?

The general Hungarian regulatory instruments for the protection of PII are the General Data Protection Regulation (GDPR), and Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (Data Protection Act).

The Data Protection Act was amended in July 2018 to implement the GDPR in Hungary. The Data Protection Act has three building blocks:

  • Provisions applying to data processing that are under the scope of the GDPR. These are additional procedural and substantial rules, where the GDPR permits derogation or the application of national laws.
  • Provisions applying to data-processing operations which fall outside the scope of the GDPR.
  • Provisions applying to data processing for law enforcement, national security and national defence purposes to implement the Directive (EU) 2016/680 of the European Parliament and of the Council (Law Enforcement Directive).

 

Data protection authority

Which authority is responsible for overseeing the data protection law? Describe the investigative powers of the authority.

The authority responsible for overseeing the data protection law is the National Authority for Data Protection and Freedom of Information (the Authority). The Authority has the following investigative powers:

  • it may ask for information and request the client to make statements;
  • it may take testimony from witnesses (including conducting interviews);
  • it may access all PII and information that is necessary for the performance of its tasks;
  • it may also ask for copies of PII and other information;
  • it may make on-site visits and request access to equipment used in the course of the data processing; and
  • may ask for expert opinions.

 

Cooperation with other data protection authorities

Are there legal obligations on the data protection authority to cooperate with other data protection authorities, or is there a mechanism to resolve different approaches?

The Authority is a member of the European Data Protection Board (EDPB) which publishes guidelines to ensure consistency across member states in GDPR interpretation. In regard to issues that are covered by guidelines of the EDPB or the Article 29 Data Protection Working Party (the predecessor of EDPB), the Authority follows those guidelines.

In the case of cross-border data processing, the Authority suspends the proceeding until the lead supervisory authority makes its statements on taking over the case based on GDPR’s one-stop shop. In such cases, the lead supervisory authority and the Authority must cooperate to find a mutually acceptable solution. If they cannot, the consistency mechanism applies, in which the EDPB may have the final word.

Breaches of data protection

Can breaches of data protection law lead to administrative sanctions or orders, or criminal penalties? How would such breaches be handled?

Breaches may lead to sanctions, which depend on the type of the breach. The most feared sanction is the administrative fine for breaching the GDPR, which may reach €20 million or 4 per cent of the organisation’s annual turnover (whichever is higher).

The Authority may also impose corrective measures set out under the GDPR such as:

  • issuing reprimands to a controller or a processor where processing operations have infringed provisions of the GDPR;
  • ordering the controller or the processor to comply with the data subject’s request to exercise his or her rights;
  • ordering the controller or processor to make their processing operations comply with the provisions of the GDPR;
  • ordering the controller to communicate a personal data breach to the data subject;
  • imposing a temporary or definitive limitation (a ban on processing);
  • ordering the rectification or erasure of PII or restriction of processing;
  • ordering the suspension of data flows to a recipient in a third country or to an international organisation; and
  • withdrawing a certification or ordering the certification body to withdraw a certification.

 

A breach of data protection laws may also lead to criminal penalties if such a breach is committed for financial gain or if it causes significant detriment for individuals. The Authority has two kinds of procedures to handle breaches:

  • Investigation: The Authority may start an investigation based on a complaint (which may be made by anyone) or ex officio. At the end of the investigation, the Authority may impose an order to remedy the situation. The controller shall remedy the situation within 30 days from receiving the order. In the investigation procedure, the Authority neither imposes a fine nor other corrective measures.
  • Administrative procedure: The administrative procedure may be launched based on a complaint (only the concerned data subject may make a complaint) or ex officio. The Authority will launch the administrative procedure ex officio only if in the investigation phase the Authority had imposed an order, but the controller did not remedy the situation within the deadline, or in the investigation phase the Authority concluded that unlawful processing occurred and based on GDPR rules a fine may be imposed.

 

Scope

Exempt sectors and institutions

Does the data protection law cover all sectors and types of organisation or are some areas of activity outside its scope?

Hungarian data protection laws cover all types of organisations. Exemption applies in the case of individuals processing personally identifiable information (PII) for household purposes, but otherwise any organisation that processes PII will be under the scope of Hungarian data protection laws.

Even when the General Data Protection Regulation (GDPR) does not apply (such as processing of PII by national security entities or courts), the provisions of Act No. CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information (the Data Protection Act) still apply. In such a case, National Authority for Data Protection and Freedom of Information (the Authority) will remain the supervisory authority with a limited corrective power to impose a fine of up to 20 million Hungarian forints. In the case of the processing of PII by courts, the processing will be supervised by the courts (not the Authority).

As these exemptions are rare, we will focus only on processes that fall under the scope of the GDPR.

Communications, marketing and surveillance laws

Does the data protection law cover interception of communications, electronic marketing or monitoring and surveillance of individuals? If not, list other relevant laws in this regard.

The GDPR and the Data Protection Act cover these areas together with specific Hungarian national legislations such as:

  • in the case of interception of communications: Act XC of 2017 on Criminal Procedure and Act C of 2003 on Electronic Communications;
  • in the case of electronic marketing: Act XLVIII of 2008 on Commercial Advertisement and Act CVIII of 2001 on Electronic Commerce; and
  • in the case of monitoring and surveillance of individuals: Act CXXXIII of 2005 on Private Security and the Activities of Private Investigators, and dozens of other acts depending on which area the surveillance of individuals takes place (such as surveillance in streets, in stadiums, or in vehicles).

 

Other laws

Identify any further laws or regulations that provide specific data protection rules for related areas.

Apart from the general data protection framework, there are separate legislations for sector-based data protection rules, including areas such as marketing, financial sector, e-commerce, employment, healthcare and CCTV. In April 2019, the Hungarian parliament adopted a new GDPR implementation package amending 86 sector-based laws.

PII formats

What forms of PII are covered by the law?

The Hungarian lawmaker extended the material scope of the GDPR. The Hungarian data protection law covers all forms of PII: not just electronic records, but also manual data processing and – unlike other countries – even the case when the PII does not form a part of a filing system or does not intend to form part of a filing system.

Extraterritoriality

Is the reach of the law limited to PII owners and processors of PII established or operating in the jurisdiction?

Hungarian data protection laws apply even to controllers and processors of PII established or operating outside of Hungary if:

  • the controller’s main establishment is located in Hungary; or the controller’s only place of business within the EU is in Hungary; or
  • the controller’s main establishment is not located in Hungary or the controller’s only place of business within the European Union is not in Hungary, but the controller’s or its processor’s data processing operation(s) relate to:
    • the offering of goods or services to data subjects located in Hungary, irrespective of whether a payment of the data subject is required; or
    • the monitoring of data subjects’ behaviour that occurs in Hungary.

 

Covered uses of PII

Is all processing or use of PII covered? Is a distinction made between those who control or own PII and those who provide PII processing services to owners? Do owners’, controllers’ and processors’ duties differ?

All processing (except processing by individuals for household purposes) and all operations on the PII (such as collection, storage and disclosure) are covered by Hungarian data protection laws.

A distinction is made between the controller who determines the purpose and the means of the data processing and the processor who merely executes the decisions of the controller and processes the PII on behalf of the controller. The processor is not entitled to make any decision on the merits of the data processing.

The controller is primarily responsible for the lawfulness of data processing. However, some obligations directly apply to processors (such as taking appropriate data security measures) and they may be directly liable if they breached such obligations.

Law stated date

Correct on

Give the date on which the information above is accurate.

15 May 2020.