Hungary

Overview

Stage of legislative progress 
E.g. pre-consultation, in consultation

On 29 August 2017 the Ministry of Justice published a draft bill intended for 'implementation' of the GDPR in Hungary but this relates only to the current Hungarian general data protection act, the InfoAct. This public consultation ended on 08 September 2017 and the comments and results have not been published yet. These will be published when the government submits the draft bill to the Parliament. The Ministry of Justice is only in charge for the InfoAct as the task of 'implementation' of other sectorial data protection acts (e.g. in the telecom, finance, e-commerce, health sectors) belongs to other ministries. There is no official information on the status of legislative progress at these ministries.

Update (04 December 2017): After the public consultation the Ministry of Justice has withdrawn the first draft of amendments to the current InfoAct. While the reasons were not published it is likely that the Ministry has also realised that in order to ensure that Hungarian law is complainant with the provisions of the GDPR the review of sectorial laws containing data protection provisions is also necessary. The Ministry has requested certain associations to provide their input and drafts on the InfoAct and sectorial laws by 15 January 2018. 

Update (16 May 2018): The Ministry of Justice has not published any new version for the draft bill amending the InfoAct and we received the information that the legislation procedure was put on hold because of the elections in April 2018.

Update (31 May 2018): On 29 May 2018 Deputy Prime Minister Mr Zsolt Semjén has submitted a draft bill amending the InfoAct to Parliament. This draft bill however is not a continuation of the earlier drafts as it contains only the following:

  1. The NAIH is appointed as the GDPR authority in Hungary.
  2. The NAIH should apply the principle of proportionally when enforcing the GDPR, and especially in case of a first breach it should in the first instance issue a warning.* 
  3. The Info Act also implements the GDPR.
  4. Some linguistic amendments and opening the authority of the NAIH so it can enforce the GDPR. 

* The background of the provision on the desire not to impose a fine in case of a first breach is that on 24 May the government’ spokesperson announced that the government would like to maintain the exception for SMEs which is set forth in the Hungarian SME Act. The relevant part of the draft bill contains the following:

The Authority shall exercise its powers under Article 83(2)-(6) GDPR taking into account the principle of proportionality, in particular it shall primarily issue a warning to the data controller or the data processor to remedy the infringement, when it is a first time infringement of the data processing provisions set forth by statutory provisions or mandatory acts of the EU, in accordance with Article 58 GDPR.

Approach to implementation 
E.g. amendments to existing law, total repeal of old laws

According to the published draft bill the InfoAct is going to remain in force but its scope will be limited to data processing activities which are not within the scope of the GDPR. As far as activities covered by the GDPR are concerned, only certain provisions of the InfoAct will be applicable. These provisions will be listed in Article 2 of the InfoAct (in its amended form).

Update (04 December 2017): it seems that the Ministry of Justice has recognized that the structure of the first draft was hard to interpret, and that the new Info Act should be more 'user friendly'. 

Update (16 May 2018): There is no news on the approach of the Ministry of Justice regarding the amendments of the InfoAct.

Update (31 May 2018): the draft bill submitted to the Parliament on 29 May 2018 does not contain substantive amendments or implementation provisions other than mentioned above. So this bill is independent from the draft published for public consultation in August 2017 and the draft discussed with a limited group of stakeholders in January 2018. 

On 25 May 2018 the NAIH published a position paper on the applicable laws under the GDPR (available here in Hungarian only). This confirms that the ‘implementation’ of the GDPR has not happened in Hungary. According to the NAIH, it will apply the GDPR where its provisions are comprehensive. However, where the GDPR provides the opportunity to Members States to derogate, the NAIH will enforce these. In relation to the latter sectorial data protection laws are expressly mentioned.

Timescale for implementation 
E.g. pre-consultation, in consultation

The Ministry of Justice is likely to submit the draft to the government meeting in Q4 2017 and in this case it is likely that the Parliament will vote on it during Q1 2018.

As far as sectorial legislation is concerned there is no official information on the status of legislative progress.

Update (04 December 2017): as the Ministry of Justice has postponed the consultation on the InfoAct and sectorial DP laws it is unlikely that the new amendments will come into force earlier than Q2 2018. 

Update (16 May 2018): The Ministry of Justice will be able to resume the legislation procedure after the new government is formed and the legislative competencies are distributed. Therefore it is unlikely that the new amendments will come into force earlier than Q3 2018.

Update (31 May 2018): the draft bill submitted to Parliament on 29 May 2018 was not published for consultation.


Areas where Member States must have local laws:

Personal data and freedom of expression 

n/a

Penalties

n/a


 

Areas where Member States may have local laws:

Professional secrecy 

n/a 

Scientific, historical or statistical purposes 

n/a

Employment

n/a

Personal data of deceased persons 

The draft bill on amending the InfoAct, prepared by the Ministry of Justice, contains provisions on processing of personal data of deceased persons. It grants to the deceased persons' close relatives the right to erasure and to obtain restriction on of processing, upon request made within five years following the death.

Update (04 December 2017): it is likely that the Ministry of Justice will also include these provisions in the new draft bill.

Children online

n/a

Special rules for special categories of data
n/a

Genetic, biometric or health data

n/a

Designation of a Data Protection Officer

n/a

National identification numbers/any other identifier of general application

n/a


Other:

Any other areas under discussion
n/a