Hungary

Stage of legislative progress
E.g. pre-consultation, in consultation

The bill amending the Info Act was passed on July 17 2018 by the Hungarian Parliament. It was published on July 25 2018 as Act 38 of 2018.

Approach to implementation
E.g. amendments to existing law, total repeal of old laws

The law modifying the InfoAct adds a list of provisions which apply to data processing activities already covered by the GDPR, and implements the Law Enforcement Directive (2016/680/EU directive).
The InfoAct is now compatible with the GDPR and sets forth when to apply the GDPR, the InfoAct or both.
Other issues remain unresolved. The sectoral data protection provisions still reflect an outdated approach (e.g. limiting the legal basis for processing personal data to either consent or a statutory provision).
There are several contradictory provisions in the finance, insurance and telecommunication sectors, and in relation to direct marketing.

According to a position paper published by the Hungarian National Authority for Data Protection and Freedom of Information ("NAIH"), the authority will only apply the GDPR where its provisions are comprehensive. However, deregulation of rules directly contradicting the provisions of the GDPR is still required to create a landscape that is easier to navigate for businesses.

Generally, where the GDPR permits local deviation, the InfoAct makes few changes. As an example, in relation to information society services offered directly to children, the age of consent remains 16 in Hungary.

Timescale for implementation
E.g. pre-consultation, in consultation

On 01 October 2018 the Ministry of Justice published a draft bill regarding the amendment of sectorial data protection laws.

Areas where Member States must have local laws:

Personal data and freedom of expression

Covered by the amended Info Act.

Penalties

Covered by the amended Info Act.

Areas where Member States may have local laws:

Professional secrecy

Covered by legislation on certain professions.

Scientific, historical or statistical purposes

Covered by separate legislation.

Employment

Covered by the Labor Code.

Personal data of deceased persons

The InfoAct was modified to include provisions on the processing of personal data of deceased individuals. It provides that either a person appointed by the data subject during their life or a close relative will be able to exercise the data subject's rights after their death.

Children online

No specific provisions.

Special rules for special categories of data

The definition of ‘special data’ in the InfoAct is applicable for data processing activities falling under the scope of the GDPR. The categories of data falling under this definition are similar to those of Article 9(1) of the GDPR. The amended InfoAct also keeps the definition of ‘criminal personal data’ and this is also applicable to data processing activities falling under the scope of the GDPR.

Article 5(7) of the InfoAct provides that the provisions applicable to "special data" are also applicable to "criminal personal data".

Genetic, biometric or health data

No specific provisions.

Designation of a Data Protection Officer

No specific provisions.

National identification numbers/any other identifier of general application

Covered by separate legislation.

Other:

Any other areas under discussion

n/a