Hungary: Data protection guide

31 July 2012

Dr. Bálint Halász, Dr. Fekete-Győr Ákos


Associates Bálint Halász and Ákos Fekete-Gyõr from our office in Budapest have authored a comprehensive guide on the application of data protection laws in Hungary.

The document, which was published on Thomson Reuter's Complinet website, includes detail on the coverage of the Hungarian law on data protection issues, its relation with EU laws and information on confidentiality and notification. The guide also includes sections for enforcement and exceptions.

If you would like to access the complete guide on Thomson Reuter's Complinet website, click here. (You must have an account on Thomson Reuters' Complinet to access the full text.)

Full text: 


Introduction

Title and date of national law

The general provisions of data protection are included in Act CXII of 2011 on informational self-determination and freedom of information (Privacy Act), which took effect on January 1, 2012. The Privacy Act set aside Act LXIII of 1992 on the protection of personal data and the disclosure of public data.

Relation with international instruments

The Privacy Act implements EU Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data. Hungary has also ratified the Council of Europe Treaty 108 for the protection of individuals with regard to the automatic processing of personal data with Act VI of 1998. There are however certain issues where the implementation of the Directive is at least controversial, such as legal grounds of data processing, transfer to third countries and use of sub-processors.

Is the national law regarded as equivalent to EU standards or as meeting other regional standards?

The Privacy Act (and the previous data protection act) is widely considered as relatively strict compared to other EU member states' regulation. Hungary's new constitution (Basic Law) under Article VI provides the right to protection of personal data, which is monitored and enforced by an independent authority (i.e. the new Hungarian National Authority for Data Protection and Freedom of Information; Authority). The Privacy Act is intended to implement the provisions of the Directive nevertheless the implementation of certain issues is at least controversial, as mentioned above.

While some provisions give the privacy Act a stronger enforcement focus, such as the new Authority's stronger investigatory and enforcement rights, several areas remain inconsistent with the Directive. In particular, EU attention has focussed on the Agency's attachment to the Hungarian state, in violation of EU laws on regulator independence. The European Commission has commenced infringement proceedings against Hungary in this regard, and the proceeding is currently pending before the Court of Justice of the European Union (CJEU).

Coverage

  • Data privacy
    Covered by the Privacy Act and also by other Acts (e.g. Insurance Act, E-Commerce Act) in certain areas of law.

  • Marketing
    The Privacy Act provides the general terms but the special means of marketing e.g. electronic marketing is covered by Act CVIII of 2001 on e-commerce (E-Commerce Act) and direct marketing is covered by Act XLVIII of 2008 on advertising (Advertising Act).

  • Surveillance and retention of data
    Surveillance is not expressly addressed by the Privacy Act, nevertheless its general provisions also apply in this field. Act CXXXIII of 2005 on private security and investigation services also contains relevant provisions. Hungary's new Labour Code entering into force on July 1, 2012 will expressly provide protection employees against unlawful surveillance at workplaces.

  • Exclusions
    The rules of the Privacy Act are not applicable to data processing for private use and if the data is not processed in Hungary. However the Privacy Act applies if a data controller established outside of Hungary uses a data processor established in Hungary. The same applies for use of devices in Hungary, unless the device itself is used only for transfer of data within the EU. In latter case however, the data controller shall appoint a representative in Hungary.

  • Other material notes
    There are sector specific data protection laws (e.g. Insurance Act, Financial Institutions Act, E-Commerce Act).
    The Authority conducts investigations, issues guidelines and recommendations, imposes fines etc.

Nature of legal instruments, e.g., generally applicable specific law, constitutional rights, self-executing Convention Rights

The provisions of the Privacy Act are applied generally, they serve as "background" provisions to other Acts which regulate data protection and privacy related matters. The right to the protection of personal data, the right to privacy is protected by the Basic Law, providing constitutional protection to data subjects.

Date(s) of implementation of main law

The Privacy Act is in force since January 1, 2012. The previous data protection act was in force between 1992 and 2011.

Detail

General

Relation with EU law and third pillar issues

As mentioned above, the Privacy Act is intended to implement the Directive, nevertheless there certain provisions seem to inconsistent with the Directive, especially considering recent case law of CJEU. Processing of criminal, election and citizenship data are regulated by other acts.

Whether national law covers third pillar matters

Certain national laws cover third pillar matters.

Whether there are differences between public and private sector regulation or specific sectoral regulation

The Privacy Act should be considered as the general Act providing rules regarding the protection of personal data and the disclosure of data of public data (information relating to a body or person performing public duties and carrying out state or local government responsibilities). Beyond the scope of the Privacy Act, there are other sectoral Acts (e.g. Advertising Act, Insurance Act, Financial Institutions Act) which provide additional data protection related provisions. Acts regulating data processing by the public sector are usually harmonised with the Privacy Act and provides the same or similar level of protection for data subjects.

Coverage and scope of the Privacy Act

Who is covered?

The scope of the Privacy Act covers all data processing activities undertaken in Hungary relating to the data of private individuals (i.e. data subjects), as well as data of public interest and data disclosed on grounds of public interest. The Privacy Act applies to activities of both data controllers and data processors.

What data is covered (manual or electronic)?

The provisions of the Privacy Act apply to both data processed both manually and electronically. The Privacy Act contains the following definitions:

i. personal data: data relating to the data subject, in particular the name and identification number of the data subject, as well as one or more factors specific to his physical, physiological, mental, economic, cultural or social identity as well as conclusions drawn from the data with regard to the data subject;

ii. sensitive data: personal data relating to racial or ethnic origin, political views, religion, sexual life, health and criminal personal data;

iii. criminal personal data: personal data relating to the data subject and the criminal record;

iv. data of public interest: information or data other than personal data recorded by any means or form concerning activities undertaken and controlled by a body or individual carrying out state or local government responsibilities;

v. data disclosed on grounds of public interest: data other than data of public interest, the disclosure of or the access to which is ordered by law.

The Privacy Act covers both automatic and manual data processing and technical data processing (note that latter is defined as separate activity undertaken by a data processor).

What personally identifiable information is covered?

The Privacy Act covers personal data, special (or sensitive) data and criminal personal data which makes it possible to draw direct conclusion in relation to a data subject.

How are the territorial boundaries established?

The scope of the Privacy Act applies to data processing in Hungary. The Privacy Act also applies if a data controller established outside of Hungary uses a data processor established in Hungary. The same applies for use of devices in Hungary, unless the device itself is used only for transfer of data within the EU. In latter case however the data controller shall appoint a representative in Hungary.

The grounds for processing

Does the law require a justification for processing personally identifiable information?

Yes. Traditionally data can be processed based on consent or statutory provisions. The two "traditional" legal bases are the following:

i. the data subject has provided his consent (according to the Privacy Act, the consent must be given voluntarily, unambiguous and based on adequate information);

ii. provisions of an act or a local government decree, for a purpose based on public interest, if an act entitles the local government to publish such a decree.

Basis for processing any personal data

As mentioned above, the Hungarian data protection regime has been traditionally very strict as to the legal grounds for data processing. The Privacy Act, which has been in force since January 1, 2012, essentially retains the general consent requirement but it also but also enacted a limited implementation of Article 7(c) and (f) of the Directive by adding further requirements not included in the Directive.

According to Article 6 of the Privacy Act processing on the basis of compliance with the controller's legal obligations or for the legitimate interests of a controller or third party is only permitted if it is impossible to obtain consent or if obtaining consent would require disproportionate expense. This limitation is controversial given the recent case law of CJEU, which ruled in November 2011 that a similar provision in the Spanish legislation was incompatible with EU law (see CJEU C-468/10 and C-469/10).

Furthermore, the Privacy Act also allows processing to a limited extent if a data subject is not able to give his consent due to his incapacity to act or other circumstances beyond his control and data processing is necessary to protect his own or others' vital interests, as well as to the extent required to prevent direct threat to his or others' life, physical safety or property.

Any special provisions for sensitive personal data

Special (or sensitive data) may be processed if:

i. the data subject has consented thereto in writing;

ii. the processing of these data is necessary for the execution of an international treaty or the enforcement of a right determined by the Fundamental Act of Hungary (i.e. the Constitution) or national security, crime prevention and law enforcement purposes;

iii. it is ordered by law.

Principles relating to finality

Fair and lawful processing

Data processing is deemed lawful if the data subject has provided his consent or it has been ordered by law or by a local government decree. If, however, consent has been obtained by an unlawful manner then the mere existence of consent cannot legalize unfair processing.

Hungarian law requires detailed information to be given to data subjects. In addition to the aforementioned, the data subject, prior to the commencement of data processing, must be adequately and thoroughly informed especially about (a) the purpose, (b) the legal basis of data processing, (c) the persons involved as data processors, (d) the length of data processing, (e) the legal basis of data processing, (f) the list of individuals who may get to know those data and (g) data subject's data processing related rights and available legal remedies.

In Hungary strict purpose limitation applies. According to the Privacy Act personal data can be processed only for a definite purpose, to exercise rights and comply with obligations. During the whole process of data processing, the purpose of data processing must be met and personal data must be recorded and processed in a fair and lawful manner.

Finality principle

According to the Privacy Act, only such personal data can be processed which is indispensable and appropriate for the realisation of the purpose of data processing. Personal data can only be processed to the extent and for the period necessary for the realisation of the purpose of data processing.

Other

Principles relating to data quality

Data adequacy, accuracy and retention

According to Section 4(2) of the Privacy Act, only such personal data can be processed which is indispensable and appropriate for the realisation of the purpose of data processing. Personal data can only be processed to the extent and for the period necessary for the realisation of the purpose of data processing.  According to Section 4(4) of the Privacy Act, during the term of data processing the accuracy, the completeness and (if it is necessary for the purpose of data processing) the up-to-date status of the data must be ensured. Furthermore, it must also be ensured that the data subject can only be identified until it is necessary for the realisation of the purpose of data processing.

Personal data can be retained until the purpose of data processing is realised. After this period personal data must be deleted or made anonymous. In case of data transfer, the data controller must keep a data transfer register in which the personal data must be kept for at least five years, while special (or sensitive) data must be kept for at least 20 years.

Anonymisation

Pursuant to Section 4(4) of the Privacy Act, during the term of data processing it must be ensured that the data subject can only be identified until the purpose of data processing is realised. According to Section 7(4) of the Privacy Act, for the protection of electronically processed sets of data kept in various registers it must be ensured with adequate technical solutions that the data kept in these registers cannot be directly connected with the data subjects.

Other

Personal data can be processed for scientific research purpose; however, it must be permanently ensured that the data subject cannot be identified. Personal data can be processed for statistical purposes by the Hungarian Central Statistical Office in a way that the data subject can be individually identified.

Rights of data subjects

Subject access

Prior to commencing data processing, the data subject must be provided with adequate and detailed information especially about (a) the purpose, (b) the legal basis of data processing, (c) the persons involved as data processors, (d) the length of data processing, (e) the legal basis of data processing, (f) the list of individuals who may get to know those data and (g) data subject's data processing related rights and available legal remedies.

In addition to the above, the data subject may request (i) information about the data processing from the data controller, (ii) amendment of his personal data, (iii) deletion or blocking of his personal data. Upon the request of the data subject, the data controller provides information about (i) the data processed by the data controller and the technical data processor, (ii) the legal basis thereof, (iii) the purpose of data processing, (iv) the length of data processing, (v) the name address and data processing related activity of the technical data processor and (if the data are transferred) (vi) the legal basis and recipient of the data transfer. The data controller is obliged to provide information requested in writing within 30 days. The provision of the information requested is free of charge if the data subject has not submitted request in the same year regarding the same scope of data. In other cases, a certain amount of fee can be determined by the data controller and data subject (it can also be determined in an agreement). The data controller in certain cases specified by law may refuse to provide information to the data subject. In this case the data controller must inform the data subject about the reason of refusal in writing, and inform the Authority as well.

In cases determined by law, the personal data must be deleted.

The data subject furthermore has the right to object.

Rights to object to processing

Pursuant to Section 21 of the Privacy Act, the data subject may object to data processing:

i. if the processing or transfer of personal data is necessary for the fulfilment of the legal obligations of the data controller, or the enforcement of lawful interests of the data controller, data recipient or third party, except in case of mandatory data processing;

ii. if the personal data is used or transferred for direct marketing, public opinion surveys or scientific research purposes,
or

iii. based on other statutory provisions.

The data controller must assess the objection and make a decision within 15 days the latest. The data subject must be informed about the decision in writing. If the data controller agrees with the objection, it terminates the data processing, blocks the data and informs all data recipients, whichever applicable. If the data subject does not agree with the decision of the data controller or if the data controller fails to process the request within 15 days, then the data subject may file a claim with the court.

Automated decisions

Decision based on the evaluation of the data subject's personal traits can only be made exclusively by automated technical data processing if:

i. the decision has been made during the conclusion or the fulfilment of a given contract, provided the decision was initiated by the data subject;

ii. the decision making is provided by a certain law which determines measures ensuring the lawful interests of the data subject.

In case the decision has been made during automated technical data processing, the data subject must be informed about the applied method and the merits thereof, and the data subject must be given the opportunity to comment thereon.

Other rights

If the data controller does not provide the data subject with the information requested or does not amend/delete/block the personal data or does not respond to an objection of a data subject within due time or the data subject states that the data controller has infringed his rights, the data subject may file a claim with the court.

Confidentiality and security of processing

Security obligations

The data controller is obliged to ensure the protection of privacy. Both data controllers and data processors, within their scope of activities, are obliged to ensure data security, implement such technical and organisational measures and elaborate those procedural rules which are deemed necessary for the enforcement of data protection relates Acts.

Personal data must be protected with appropriate measures especially against:

i. unauthorised access;

ii. unauthorised alteration;

iii. unauthorised transfer;

iv. unauthorised disclosure;

v. unauthorised deletion or destruction;

vi. accidental destruction or damage.

It must be ensured with adequate technical solutions for the protection of electronically processed sets of data kept in various registers that the data kept in these registers cannot be directly connected with the data subjects. In case of automated processing of personal data additional measures must be implemented by the data controller and the technical data processor.  The data controller and the data processor must use state of the art technology, and use the one providing higher security.

Use of data processors

Data controllers may use data processors to perform certain technical tasks on data. Activities of data processors are defined by "technical data processing in the Privacy Act. A data processor must be appointed in a written agreement. The rights and obligations of the technical data processor are determined by the data controller, and the data controller is liable for the activity of the technical data processor.

Previous Hungarian data protection law expressly precluded sub-processing. Unfortunately, the Privacy Act keeps this odd and outdated requirement which clearly conflicts with the needs of the cloud computing industry, not to mention EU law (see Commission Decision 2010/87/EU on SCCs for the transfer of personal data to processors established in third countries). The former Commissioner had stated that EU law should prevail on this matter. However, this interpretation has not been confirmed by the courts, and the Act as it stands retains the exclusion. There is no guarantee that the new Authority head will take the same approach as his predecessor. The technical data processor cannot make processing related decisions and must perform its tasks in accordance with the instructions of the data controller.

Other

Notification

Rules for notification

The Privacy Act shifts from the previous notification system to a strict authorisation requirement. This more onerous filing obligation is a setback for data controllers.  Under the new rules, the Agency is required to approve or reject a data processing request within eight days of receipt. Data processing may only be commenced after receipt of the Agency's approval, although data processing can be commenced without it if the Agency does not respond in time. Data controllers also need to pay a fee for registration, although the level of this fee (likely to be minimal) has yet to be formally announced. Until the level of has not been published, requests for approval can be filed free of charge.

Exceptions

The Act provides certain exceptions to the authorisation requirements. Processing of certain types of data, such as employee or customer data is exempt. However, in relation to customer data financial institutions, community service providers and electronic communication service providers have lost their exemption. Critics have denounced authorisation as an administrative burden on businesses, especially given that the need to seek consent from data subjects arguably limits the usefulness of the exercise.

Prior checking

N/A.

Other

The Authority must be informed about the requests of the data subjects rejected by the data controller until January 31 following the subject year.

Overseas transfers

Does the law restrict overseas transfers?

Data can be transferred to a country located outside the EEA, if (i) the data subject has expressly consented to the transfer or (ii) the data subject previously consented to local processing and an adequate level of protection is ensured in the third country, or (iii) processing is compulsory according to a statutory provision. Adequate level of protection is ensured if it is so determined by a binding EU legislation or an international agreement concluded between the non-EEA country and Hungary. For example participants of the safe harbour agreement are considered to provide the required level of protection. But the Privacy Act does not contain clear provisions regarding the use of SCCs and BCRs. The Authority recently conformed that SCCs must be accepted nevertheless they are silent on BCRs.

Data transfer within the EEA is considered as transfer within the territory of Hungary. The data controller is obliged to keep a data transfer register which includes the date, legal basis, recipient, scope of data of the data transfer. The data kept in the data transfer register must be kept for at least five years (in case of special or sensitive data for 20 years).

Derogations

Pursuant to Section 9 of the Privacy Act, the sender data controller may limit the extent of data processing by e.g. determining the possible purpose, duration of the data processing, as well as possible recipients of the data transfer. The recipient data controller may process the personal data transferred within the scope determined by the sender data controller. The recipient data controller may process the data transferred without limitation to the limited extent of data processing if the sender data controller has given its prior consent thereto.

Adequacy

The European Commission is entitled to decide on the adequacy of the protection of personal data in certain third countries.

Enforcement and remedies

Independent regulator and regulatory sanctions

The Privacy Act expressly regulates legal status and tasks of the Authority. The Authority is an autonomous public body which keeps the data protection register, conducts investigations, conducts procedures ex officio, imposes fines, initiates court procedures against data controllers, provides data protection audit. The Authority has the power to impose fines between HUF 100,000 and HUF 10,000,000 (approx. 340 euros to 34,000 euros). But the Privacy Act does not contain guidance on the calculation of fines. The Authority is also entitled to impose multiple fines. The decisions of the Authority are subject to appeal.

Judicial remedies

If a data controller infringes the rights of a data subject or it does not comply with the instructions of the Authority, a data subject or the Author may have recourse to courts. A data subject may also claim damage compensation.

Exceptions

National security

The rights of the data subject can be restricted due to national security reasons.

Freedom of expression

Not regulated by the Privacy Act.

Criminal matters

The rights of the data subject can be restricted due to law enforcement reasons. Special laws regulate the processing of the personal data of convicts (Act XLVII of 2009 on criminal records).

Others

There are separate Acts regulating the registering of the personal data and address of citizens (Act LXVI of 1992) and the processing and protection of health data (Act XLVII of 1997).

Marketing rules

Are there specific rules governing marketing?

Yes. In addition to the general rules specified in the Privacy Act, Advertising Act regulates the use of personal data for direct marketing purposes.

Telephone, fax, e-mail and SMS

According to the Advertising Act, advertisement by way of direct marketing can only be sent if the recipient has unambiguously and expressly consented thereto beforehand (opt-in requirement). The consent must include:

  • name;

  • place and date of birth;

  • data to the processing of which the recipient has consented;

  • declaration that the consent was given freely and on the basis of adequate information.

The consent declaration can be revoked anytime, without any reasoning, for free-of-charge.

Mail

Direct mail can also be sent in the form of regular mail (postal service) without prior consent (opt-out requirement). It must however be ensured that a recipient can opt-out anytime and free-of-charge.

Other

N/A

Additional material information

Data protection audit

As of January 1, 2013 upon the request of the data controller, the Authority conducts a data protection audit in order to assess the data controller's compliance with the provisions of the Privacy Act. A certain amount of administrative fee will have to be paid for this service, the amount of which yet to be decided.

For more information about data protection in Hungary please contact:
 





 

Dr. Bálint Halász
Tel: +36 1 799 2000
Fax: +36 1 799 2088
balint.halasz@twobirds.com






 

Dr. Fekete-Győr Ákos
Tel: +36 1 799 2000
Fax: +36 1 799 2088
akos.fekete-gyor@twobirds.com