Stage of legislative progress 
E.g. pre-consultation, in consultation

On 29 August 2017 the Ministry of Justice published a draft bill intended for 'implementation' of the GDPR in Hungary but this relates only to the current Hungarian general data protection act, the Info Act. This public consultation ended on 08 September 2017 and the comments and results have not been published yet. These will be published when the government submits the draft bill to the Parliament. The Ministry of Justice is only in charge for the Info Act as the task of 'implementation' of other sectorial data protection acts (e.g. in the telecom, finance, e-commerce, health sectors) belongs to other ministries. There is no official information on the status of legislative progress at these ministries.

Update (04 December 2017): After the public consultation the Ministry of Justice has withdrawn the first draft of amendments to the current Info Act. While the reasons were not published it is likely that the Ministry has also realised that in order to ensure that Hungarian law is complainant with the provisions of the GDPR the review of sectorial laws containing data protection provisions is also necessary. The Ministry has requested certain associations to provide their input and drafts on the Info Act and sectorial laws by 15 January 2018. 

Update (16 May 2018): The Ministry of Justice has not published any new version for the draft bill amending the InfoAct and we received the information that the legislation procedure was put on hold because of the elections in April 2018.

Update (31 May 2018): On 29 May 2018 Deputy Prime Minister Mr Zsolt Semjén has submitted a draft bill amending the InfoAct to Parliament. This draft bill however is not a continuation of the earlier drafts as it contains only the following:

  1. The NAIH is appointed as the GDPR authority in Hungary.
  2. The NAIH should apply the principle of proportionally when enforcing the GDPR, and especially in case of a first breach it should in the first instance issue a warning.* 
  3. The Info Act also implements the GDPR.
  4. Some linguistic amendments and opening the authority of the NAIH so it can enforce the GDPR. 

* The background of the provision on the desire not to impose a fine in case of a first breach is that on 24 May the government spokesperson announced that the government would like to maintain the exception for SMEs which is set forth in the Hungarian SME Act. The relevant part of the draft bill contains the following:

The Authority shall exercise its powers under Article 83(2)-(6) GDPR taking into account the principle of proportionality, in particular it shall primarily issue a warning to the data controller or the data processor to remedy the infringement, when it is a first time infringement of the data processing provisions set forth by statutory provisions or mandatory acts of the EU, in accordance with Article 58 GDPR. 

Update (10 July 2018): on 19 June 2018 the government submitted to the Parliament the draft bill amending the Info Act. This is very similar to the first draft released for public consultation on 29 August 2017.  Similar to the earlier version the current draft bill primarily addresses the Info Act but does not address sectorial data protection laws. According to the agenda of the 16, 17 and 20 July extraordinary meetings of the Hungarian Parliament on 17 July the MPs are going to vote on the bill.

Update (10 September 2018): On 17 July 2018 the Hungarian Parliament passed the draft bill amending the Info Act, which was published on 25 July 2018 as Act 38 of 2018. This added a list of provisions which apply to data processing activities already covered by the GDPR, and implemented the Law Enforcement Directive (2016/680/EU directive). Most amendments took effect on 26 July 2018 while others took effect on 25 August 2018.

Approach to implementation 
E.g. amendments to existing law, total repeal of old laws

According to the published draft bill the InfoAct is going to remain in force but its scope will be limited to data processing activities which are not within the scope of the GDPR. As far as activities covered by the GDPR are concerned, only certain provisions of the InfoAct will be applicable. These provisions will be listed in Article 2 of the InfoAct (in its amended form).

Update (04 December 2017): it seems that the Ministry of Justice has recognized that the structure of the first draft was hard to interpret, and that the new Info Act should be more 'user friendly'. 

Update (16 May 2018): There is no news on the approach of the Ministry of Justice regarding the amendments of the InfoAct.

Update (31 May 2018): the draft bill submitted to the Parliament on 29 May 2018 does not contain substantive amendments or implementation provisions other than mentioned above. So this bill is independent from the draft published for public consultation in August 2017 and the draft discussed with a limited group of stakeholders in January 2018. 

On 25 May 2018 the NAIH published a position paper on the applicable laws under the GDPR (available here in Hungarian only). This confirms that the ‘implementation’ of the GDPR has not happened in Hungary. According to the NAIH, it will apply the GDPR where its provisions are comprehensive. However, where the GDPR provides the opportunity to Members States to derogate, the NAIH will enforce these. In relation to the latter sectorial data protection laws are expressly mentioned.

Update (10 July 2018): the draft bill amending the Info Act which the government submitted to the Parliament on 19 June 2018 primarily addresses the Info Act but does not address sectorial data protection laws. The Ministry of Justice is only in charge for the Info Act as other ministries are in charge for the task of making sectorial data protection acts (e.g. in the telecom, finance, e-commerce, health sectors) compatible with the GDPR. There is no official information on the status of legislative progress at these ministries.

Update (10 September 2018): The Info Act is now compatible with the GDPR and sets forth when to apply the GDPR, the Info Act or both. Meanwhile, numerous other issues still remain unresolved. The sectorial data protection provisions still reflect outdated approaches, such as limiting the legal basis of processing of personal data to either consent or a statutory provision. There are several contradicting provisions in the finance, insurance and telecommunication sectors, or in relation to direct marketing. According to a position paper published by the Hungarian National Authority for Data Protection and Freedom of Information (NAIH), the authority would only apply the GDPR where its provisions are comprehensive. However, deregulation of rules directly contradicting the provisions of the GDPR is still required to create a landscape that is easier to navigate for businesses.

Generally, there are no significant derogations from the GDPR where the regulation made such changes possible to the Member States. As an example, in relation to information society services offered directly to children, the age of consent remains at 16 years in Hungary.

Timescale for implementation 
E.g. pre-consultation, in consultation

The Ministry of Justice is likely to submit the draft to the government meeting in Q4 2017 and in this case it is likely that the Parliament will vote on it during Q1 2018.

As far as sectorial legislation is concerned there is no official information on the status of legislative progress.

Update (04 December 2017): as the Ministry of Justice has postponed the consultation on the InfoAct and sectorial DP laws it is unlikely that the new amendments will come into force earlier than Q2 2018. 

Update (16 May 2018): The Ministry of Justice will be able to resume the legislation procedure after the new government is formed and the legislative competencies are distributed. Therefore it is unlikely that the new amendments will come into force earlier than Q3 2018.

Update (31 May 2018): the draft bill submitted to Parliament on 29 May 2018 was not published for consultation.

Update (10 July 2018): the draft bill submitted to Parliament on 19 June 2018 was not published for consultation but as this is based on the first draft released for public consultation on 29 August 2017, it can be considered that public consultation has happened in 2017. 

Update (10 September 2018): The Info Act is now compatible with the GDPR while there is no publicly available information on the review of sectorial data protection provisions.

Update (01 October 2018): On 01 October 2018 the Ministry of Justice published a draft bill on amendment of sectorial data protection laws. This public consultation ends on 05 October 2018.


Areas where Member States must have local laws:

Personal data and freedom of expression 

Covered by the amended Info Act.

Penalties

Covered by the amended Info Act.


 

Areas where Member States may have local laws:

Professional secrecy 

Covered by legislation on certain professions.

Scientific, historical or statistical purposes 

Covered by separate legislation.

Employment

Covered by the Labor Code.

Personal data of deceased persons 

The draft bill on amending the InfoAct, prepared by the Ministry of Justice, contains provisions on processing of personal data of deceased persons. It grants to the deceased persons' close relatives the right to erasure and to obtain restriction on of processing, upon request made within five years following the death.

Update (04 December 2017): it is likely that the Ministry of Justice will also include these provisions in the new draft bill.

Update (10 July 2018): the draft bill submitted to Parliament on 19 June 2018 contains provisions on processing of personal deceased persons.  In a nutshell either an individual appointed by the person during his/her life or a close relative will be able to enforce subject access rights of the deceased person. In the previous case the authorisation should be issued in the same way as a last will, i.e. as a public document or a private document of complete probative value. In the latter case, if the deceased person did not issue a said authorisation in his/her life then the close relative’s entitlement to enforce the right will be limited for five years after the death of the individual. 

Update (10 September 2018): The Info Act now contains the above provisions on processing of personal deceased persons.

Children online

No specific provisions.

Special rules for special categories of data
The definition of ‘special data’ in the Info Act remains in the act and it is applicable for data processing activities falling under the scope of the GDPR. The examples of categories are similar to Article 9(1) of the GDPR. The amended Info Act also keeps the definition of ‘criminal personal data’ and this is also applicable for applicable for data processing activities falling under the scope of the GDPR. The issue with latter is that Article 5(7) of the Info Act provides that for processing of ‘criminal personal data’ the provisions on processing of ‘special data’ are also applicable which is not consistent with the differentiation of ‘special categories of data’ (Article 9 of the GDPR) and ‘personal data relating to criminal convictions and offences’ (Article 10 of the GDPR).

Genetic, biometric or health data

For data processing activities falling under the scope of the GDPR there are no specific provisions.

Designation of a Data Protection Officer

For data processing activities falling under the scope of the GDPR there are no specific provisions.

National identification numbers/any other identifier of general application

Covered by separate legislation.


Other:

Any other areas under discussion
n/a