Key amendments to the Hungarian Data Protection Act: Guidance on BCRs in Hungary

02 October 2015

Dr. Bálint Halász

We recently reported on the amendments to the Hungarian General Data Protection Act (Act 112 of 2011 on Informational Self-determination and Freedom of Information, the "Info Act"), which will come into force on 1 October 2015. One of the key amendments concerns the introduction of Binding Corporate Rules (BCRs) to Hungarian law.

The Hungarian Data Protection Authority (NAIH) has published its guidelines on BCRs on its website (available in Hungarian only).

The guidelines contain three scenarios:

(1)    NAIH taking the role of lead authority

The applicant should

-      pay the fee*

-      fill in and submit NAIH's form in Hungarian

-      fill in and submit WP 133 form in English

-      submit a draft BCR in both English and Hungarian


The NAIH will review the draft and forward it to other designated authorities, and if they also approve the draft then the NAIH will approve the BCRs, in which case the applicant may proceed with final (formal) approval in each Member Sate under national provisions

(2)    The NAIH participating in an approval procedure led by another authority

The NAIH will review the draft received from the lead authority in another Member State and send its comments or confirm the draft; once the lead authority has approved the BCR it will send it to the NAIH. After this the applicant will be in a position to proceed with the next steps:

-      pay the fee*

-      fill in and submit NAIH's form in Hungarian

-      fill in and submit WP 133 form in English

-      submit the final text of the BCR in both English and Hungarian


The NAIH will check only formal requirements, but will not do a thorough review of the final BCR.

(3)    "Extension" of an existing BCR already approved by another authority or authorities before 1 October 2015 to Hungary

The applicant should

-      pay the fee*

-      fill in and submit NAIH's form in Hungarian

-      submit the text of the existing BCR in both English and Hungarian

-      provide data in relation to the earlier approval of the BCRs of a Data Protection Authority of another Member State

 

The NAIH will check only formal requirements, but will not do a thorough review of the existing BCRs.

* In each case the fee amount is HUF 266,000 (approx. EUR 850 / GBP 620).

The guidlines also suggest that the NAIH will take part in the Mutual Recognition Procedure

[See update #1 below.]

The guidelines do not contain information on processor BCRs but it is likely that the NAIH will publish more information on this in early October, as the Infoact contains controversial provisions on this topic. [See update #2 below.]

Update #1 (1 October)

According to information received form the NAIH they will not take part in the Mutual Recognition Procedure (MRP). Under the MRP, once the lead authority considers that BCR meets the requirements as set out in the working papers, the DPAs under mutual recognition accept this opinion as sufficient basis for providing their own national permit or authorisation for the BCR, or for giving positive advice to the body that provides that authorisation. At the moment, 21 countries are part of the mutual recognition procedure: Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Estonia, France, Germany, Iceland, Ireland, Italy, Latvia, Liechtenstein, Luxembourg, Malta, the Netherlands, Norway, Slovakia, Slovenia, Spain, and the United Kingdom.

The fact that the NAIH will not take part in the MRP does not necessarily mean that the approval of a BCR in Hungary would be significantly delayed. The NAIH will have an opportunity to make comments and requires modifications but this does not mean that they will do this in each case. It is also possible that the NAIH will not raise any issues in relation to a BCR already approved by the lead authority in which case the approval in Hungary would not take significantly longer as in any of the above Member States being parties in the MRP.

It is likely that in a few days the NAIH will update its guidelines published on their website to reflect the above.

Update #2 (1 October)

Regarding processor BCRs it is likely that the NAIH will not be able to approve processor BCRs as such but would be willing to accept a BCR in which a data controller is involved to some extent. We have been  told that they are also going to update their guidelines with this soon and that the NAIH would follow WP29 documents in relation to processor BCRs.

Authors