Contributed by Provaris.
What are the main data protection-related pieces of legislation and other regulations in Hungary?
In Hungary, two key pieces of legislation govern data protection: the EU General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR), directly applicable in Hungary, and the national Hungarian Information Self-Determination and Freedom of Information Act (Privacy Act). While the GDPR provides a broad framework for data protection, the Privacy Act specifically regulates data processing for purposes such as law enforcement, national defense, and national security. The Privacy Act supplements the GDPR’s provisions with national implementing measures. The Privacy Act mandates the application of the GDPR provisions to manual data processing activities, even if they are not part of a filing system.
What are the other primary definitions outlined in the legislation within your jurisdiction (among others, data processing, data processor, data controller, data subject, personal data, sensitive personal data, consent, etc., or equivalent)?
In accordance with the GDPR and the Privacy Act, the primary definitions within these legislations are as follows:
Personal data can be considered as any information relating to an identified or identifiable natural person. A natural person is identifiable if they can be identified, directly or indirectly, in particular by reference to an identifier such as a name an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Data processing is any operation or set of operations that is performed on personal data or sets of personal data, whether by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A data controller can be a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of the processing of personal data. On the other hand, a data processor is a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the controller.
Sensitive data refers to all data falling within the special categories of personal data, including, personal data revealing racial or ethnic origin, political opinion, religious belief or worldview, or trade union membership, as well as genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Within sensitive data, genetic data is related to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or health of that natural person, and which result, in particular, from an analysis of a biological sample from the natural person in question. Furthermore, biometric data result from specific technical processing related to the physical physiological, or behavioral characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data.
Criminal personal data can be connected to the data subject and are related to criminal records, generated by organs authorized to conduct criminal proceedings or to detect criminal offenses, or by the prison service during or prior to criminal proceedings, in connection with a criminal offense or criminal proceedings. Regarding the processing of Criminal personal data, the rules relating to the conditions for processing sensitive data are applicable to such data processing.
Consent of the data subject is a freely given, specific, informed, and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her.
Which entities fall under the data privacy regulations in Hungary?
Given that the GDPR applies directly in Hungary, any natural, legal person, public authority, agency, or other body must comply with its provisions if the territorial scope under Article 3 of the GDPR encompasses their activities.
The Privacy Act is applicable to any natural or legal person or organization without legal personality. However, these entities only fall under the Privacy Act if they process for national security, national defense, or law enforcement purposes.
The GDPR and the Privacy Act do not apply to the processing activities of natural persons exclusively serving their own personal purposes.
Do specific sectors or types of data have distinct regulatory regimes within your jurisdiction? If so, which?
In Hungary, certain sectors, including healthcare, public administration, business advertising, and financial services, among others, are subject to additional data protection regulations, typically more stringent in nature. While some acts solely regulate the retention periods of personal data processed under them, others provide additional protection for data subjects.
Act I of 2012 on the Labor Code (Labor Code) offers specific protections for employees' personal rights. Under this law, employers in Hungary are limited to requesting personal data that is directly relevant to establishing, performing, terminating employment relationships, or enforcing claims as outlined in the Labor Code. Act XCIII of 1993 on Labor Safety (Labor Safety Act) governs the processing of employee personal data by the employer in the event of occupational accidents.
Act XLVII of 1997 on the Processing and Protection of Health and Related Personal Data (Health Data Act) governs the processing and protection of personal health data, implementing a comprehensive regulatory framework. This legislation addresses various aspects of health personal data processing, including the provision of voluntary and obligatory data. Additionally, the Health Data Act outlines the rights and obligations of patients, ensuring they receive detailed information regarding their health status, recommended examinations, and associated benefits and risks.
In Hungary, the business advertising sector operates under stringent data protection regulations as well. Act XLVIII of 2008 on Essential Conditions of and Certain Limitations to Business Advertising Activity (Business Advertising Act) stipulates that direct advertisements may only be communicated to natural persons only if the addressees of the advertisement gave their preliminary consent, clearly and expressly, to being contacted in this way. Furthermore, the consent must include the name, place of birth, and date of birth of the recipient, as well as the categories of personal data for which the recipient has given consent to be processed.
Data collected while performing tasks outlined in Act LIII of 2017 on preventing and Combating Money Laundering and Terrorist Financing (Anti-Money Laundering Act) may solely be used for preventing money laundering and terrorist financing. Service providers are mandated to retain and be authorized to process this information for eight years following the termination of the business relationship or execution of the transaction order.
There are several sector-specific acts that specify exact retention and deletion periods processing under the sector-specific act. For example, in the financial sector, Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises states that client complaints and their replies shall be retained for five years and contracts with clients for mediation services and mediated financial services contracts shall be retained for three years. Act CL of 2017 on the Rules of Taxation outlines retention periods of tax-related documents for taxpayers and employers and Act C of 2000 on Accounting sets requirements regarding retention periods for businesses regarding their annual report, inventory, and any accounting documents.
What rights do data subjects have under the data protection regulations in Hungary?
Data subjects in Hungary have various rights under the GDPR and the Privacy Act. They are entitled to receive transparent information about the processing of their personal data, including purposes, legal basis, and recipients of their data. Additionally, they have the right to access their personal data, they can also request rectification of inaccuracies or incompleteness, and the erasure of their personal data under certain conditions (the “right to be forgotten”). Furthermore, data subjects have the right to request restrictions on processing and data portability, and to object to certain processing activities. Moreover, data subjects have the right not to be subject to decisions based solely on automated processing, including profiling. The Privacy Act also grants the relatives of a deceased person the ability to exercise the right of erasure and to obtain a restriction on processing upon request, made within five years following the death.
What is the territorial application of the data privacy regime in your jurisdiction?
Hungarian data protection law is applicable if either: (i) The controller's main establishment is located in Hungary or the controller's only place of business within the EU is in Hungary. (ii) The controller's main establishment is not located in Hungary or the controller's only place of business within the EU is not in Hungary, but the controller's or its processor(s)'s data processing operation(s) relate to (a) the offering of goods or services to data subjects located in Hungary, irrespective of whether a payment by the data subject is required; or (b) the monitoring of data subjects' behavior, which occurs in Hungary.
What are the key factors and considerations to adhere to when engaging in the processing of personal data within your jurisdiction?
As a preliminary step, it is recommended to conduct a thorough examination of the relevant data protection legislation prior to initiating any data processing activities. In Hungary, this may involve reviewing the directly applicable GDPR, the Privacy Act, and potentially other sector-specific regulations. Additionally, it is essential to keep a close eye on the decisions the National Authority for Data Protection and Freedom of Information (NAIH) has made concerning data processing activities because the authority gives valuable interpretation of the GDPR’s provisions.
One of the most common violations of the GDPR is the lack of transparency, therefore, it is crucial to appropriately inform the data subjects of the processing. Related to this, strict adherence to the documentation requirements set by the GDPR is essential. For example, if the controller states that the legal basis for the processing is in its legitimate interest, it shall be well supported and documented by the controller, because, as a general rule, the controller is responsible for any tasks resulting from data processing. When preparing documentation for data processing it is also crucial to look at the NAIH’s possible interpretation and relevant cases. The NAIH has issued a national list of activities, when data protection impact assessments are mandatory, which shall be considered when engaging in the processing of personal data in Hungary.
Furthermore, it is also important to follow sector-specific data processing rules because they may outline additional requirements and stringent regulations for the activities in question. For example, under the GDPR, explicit consent from the data subject is mandatory for automated individual decision-making and processing of special categories of personal data. Meanwhile, in Hungary, as per the Business Advertising Act, explicit consent from recipients of direct marketing is required.
What are the regulations and best practices concerning the retention and deletion of personal data in Hungary?
The GDPR, directly applicable in Hungary, the “storage limitation” principle mandates that personal data cannot be stored for longer than is necessary for the purposes for which the personal data are processed. Controllers must specify the storage period or the criteria for determining retention periods in privacy notices. Additionally, various sector-specific acts in Hungary govern retention periods and deletion requirements. Controllers in these sectors must adhere to these regulations to meet sector-specific data protection standards, which require individual examination.
The NAIH offers valuable non-binding guidance on personal data retention and deletion in Hungary. For instance, when interpreting GDPR regulations, the NAIH emphasized that data controllers must furnish evidence of compliant deletion of personal data. This entails documenting details such as serial numbers and IMEI numbers in the record, enabling clear identification of the medium and the erasure method used. If competent authorities request evidence of personal data erasure, and the controller has documented the erasure as described above, they may share this record as proof of compliance.
Who serves as the regulatory authority(s) in your jurisdiction regarding data protection?
In Hungary, the NAIH enforces data protection and freedom of information regulations.
Is the appointment of a Data Protection Officer mandatory for certain organizations or sectors in Hungary, and under what conditions?
Under the GDPR, appointing a Data Protection Officer is obligatory in specific scenarios: when processing is conducted by a public authority or body (excluding courts), when activities involve extensive processing of special or criminal personal data, or when there's regular and systematic monitoring of data subjects on a large scale.
Similarly, within the scope of the Privacy Act, designating a Data Protection Officer is mandatory if the controller or processor carries out duties vested by the state or other public duties as specified by law, except for courts. Additionally, the Privacy Act allows for other acts to mandate Data Protection Officer designation for certain controllers and processors, although there are currently no examples of this in Hungarian law.
How should data breaches be handled in your jurisdiction?
In Hungary, two primary legislations govern data breaches. When data processing falls under the Privacy Act, the Privacy Act applies to the breach. Similarly, if data processing falls under the GDPR, the GDPR governs the breach.
Under the GDPR, if a data breach poses a risk to individuals' rights and freedoms, the controller must report it to the supervisory authority, in Hungary to the NAIH, within 72 hours of becoming aware of it. Controllers must document all data breaches, including relevant facts, effects, and remedial actions taken. If a breach is likely to result in high risks to individuals, the controller must promptly inform affected individuals, providing clear information about the breach and necessary measures.
Under the Privacy Act, breaches must be reported to the NAIH without undue delay, but no later than 72 hours after becoming aware of them, unless they pose no risk to individuals' rights. If a breach significantly affects individuals' rights, the controller must promptly notify them, unless the Privacy Act states otherwise.
Both legislations require similar mandatory information to be provided in breach notifications to the NAIH. The Hungarian supervisory authority provides an electronic platform for reporting data breaches, which may be utilized to ensure compliance with relevant legislation in the event of a breach.
What are the potential penalties and fines for non-compliance with data protection regulations in Hungary?
Fine calculation under the GDPR is the responsibility of the NAIH in Hungary, governed by the GDPR, the Privacy Act, and the Sanctions Act. The NAIH, as a supervisory authority, follows the five-step methodology of the European Data Protection Board, which includes the following considerations:
- Identification of the processing operations: Initially, the NAIH identifies the data processing operations to be evaluated and assesses the interrelations between any concurrent infringements, as stipulated in Article 83(3) of the GDPR.
- Starting point determination: Next, the NAIH establishes the starting point for fine calculation based on the classification under Article 83(4)-(6) of the GDPR, the seriousness of the infringement, and the turnover of the undertaking.
- Evaluation of aggravating and mitigating circumstances: In the subsequent stage, the NAIH considers both aggravating and mitigating circumstances related to the behavior of the data controller or processor, past or present, and adjusts the fine accordingly.
- Legal Maximums: The authority then sets the legal maximums for various types of infringements.
- Final Assessment: Finally, the NAIH analyses the calculated fine to ensure it aligns with the principles of effectiveness, dissuasiveness, and proportionality. While adjustments may be made to reflect these principles, it's crucial that the final fine amount remains within the bounds of the legal maximum as outlined by law.
Over recent years, there has been a trend of escalating fines imposed by the NAIH. The pinnacle of this trend unfolded in 2021, when a bank, using an artificial intelligence system without justification, unlawfully analyzed the voices of its customers, which helped track the emotions of its customers via phone customer service. The NAIH imposed a HUF 250 million fine for the personal data breach, which is approximately EUR 630,000.
In a more recent case, the developer entity responsible for the exclusive system used by public schools received a fine of HUF 110 million, approximately EUR 280,000, from the NAIH. This was due to insufficient security measures for the processed personal data within the system, as well as the developers' failure to promptly notify the data controllers, namely the public schools, of the data breach. The NAIH reported that the personal data of over 20,000 individuals was accessible to unauthorized parties.
Are there any noticeable patterns or trends in how enforcement is carried out in Hungary?
In recent years, responding to the challenges brought by digitalization has become increasingly significant. As of January 2022, the NAIH has been authorized to "block" websites – temporarily render them inaccessible – operated by unknown entities engaged in unlawful data processing, causing significant harm to individuals.
Over the past years, the number of data protection authority proceedings, as well as the number and amounts of fines, have been on the rise. In 2022, the NAIH issued its largest fine to date, a HUF 250 million penalty for the unlawful application of artificial intelligence.
Furthermore, the NAIH is initiating more and more procedures, both upon request and ex officio, concerning political campaigns, healthcare documentation, forensic expert activities, and marketing data processing. Instances of camera surveillance have also become increasingly common in recent years.
How do emerging technologies such as AI, IoT, and blockchain impact data protection considerations in Hungary?
The rise of artificial intelligence (AI) presents significant challenges to data protection considerations in Hungary. As of now, there is no specific legislation governing AI in the country, leaving organizations to navigate within the framework of the GDPR, guidance from the European Data Protection Board, and directives from the NAIH.
The NAIH's decision 85-3/2022 addressed some of these challenges, where a bank utilized artificial intelligence to understand and analyze customer moods during phone calls. The decision emphasizes the importance of transparency in such AI applications, especially the need for clear privacy notices and the provision of consent or the right to object. Moreover, legitimate interest as a legal basis was found lacking, highlighting the necessity for proper legal grounds for AI deployment. Additionally, the bank also used artificial intelligence to monitor and evaluate employees through these phone calls. The NAIH emphasizes that such data processing can only be done in a reliable and human-centered manner with very strong guarantees and proper planning. Addressing these challenges, the forthcoming EU Artificial Intelligence Act (AI Act) will directly be applicable to Hungary as well. The AI Act aims to prohibit AI applications that threaten citizens' rights, such as biometric categorization systems and emotion recognition in workplaces and schools. It will also tackle issues like social scoring and AI manipulation of human behavior.
Similarly, the rapid increase of IoT devices generated a vast amount of new data, leading to emerging data protection risks. Regulation (EU) 2023/2854 of the European Parliament and of the Council of 13 December 2023 on harmonized rules on fair access to and use of data and amending Regulation (EU) 2017/2394 and Directive (EU) 2020/1828 (Data Act), which came into effect in January 2024, addresses these concerns by outlining roles and responsibilities in IoT data processing. It grants users rights to access, use, and port data generated through IoT devices and establishes rules for data sharing between businesses and public sector bodies. While Hungary has yet to see any data protection cases involving IoT data processing, the Data Act provides a robust framework to safeguard users and promote the EU's data economy.
In recent years, the emergence of blockchain technology has raised data protection concerns in Hungary. Consequently, the NAIH has provided clear guidelines in 2017, which aim to address critical aspects such as the processing of personal data, the applicability of GDPR regulations in terms of territorial and substantive scope, roles during processing, and other related matters. The NAIH has provided insights into blockchain technology's implications for data protection, particularly in its application within transactions involving virtual currencies like Bitcoin. A primary concern lies in the decentralized nature of blockchain, which lacks centralized oversight. The NAIH's clarifications emphasize that when blockchain incorporates personal data, individual users take on the role of data controllers. Consequently, the user adding data to the blockchain gains exclusive control over their stored information within the block, determining its subsequent usage. Moreover, if this control is transferred to another user, the recipient inherits exclusive rights over the data and assumes the role of the data controller. In this case, the legal basis for processing personal data might be the consent of the data subject or the legitimate interest of the user. Furthermore, another concerning matter is whether the blockchain enables the profiling of users. The NAIH states that this question can only be answered after further examination of the specific blockchain in question.
Are there any expected changes in data protection on the horizon in the next 12 months in Hungary?
Considering data protection enforcement trends in Hungary, it's anticipated that the NAIH will provide practical interpretation and guidance on new technologies impacting data protection regulations. With fines increasing for GDPR violations, organizations are recognizing the importance of prioritizing data protection across all operational areas, particularly in light of emerging technologies.
The expected publication of the AI Act by the end of May 2024 is projected to offer comprehensive guidance on AI systems over the next two years. Additionally, the interplay between the Data Governance Act, the GDPR, and applicable Hungarian national laws may be subject to guidance from the NAIH. It's hoped that this legislation will contribute to reducing data breaches resulting from the unlawful use of artificial intelligence, thereby strengthening overall data protection measures.
Expectedly, within the next 12 months, several acts will come into force in Hungary aimed at bolstering the country's digital transformation and enhancing innovation in public administration practices. Notably, Act C of 2021 on the Land Registry and Act CIII of 2023 on the digital state and certain rules for the provision of digital services are among these anticipated legislations. With these advancements poised to impact individuals' daily lives, new data protection concerns are likely to arise, necessitating reflection in sector-specific legislation. It is anticipated that electronic data processing and automated decision-making, particularly by government bodies concerning individuals, will see a surge in the coming year. Consequently, these emerging innovations will demand specific data processing regulations within the framework of these new legislations.
