The EU Data Protection Directive 95/46/EC is currently implemented in Hungary by Act No. CXII of 2011 on Informational Self Determination and Freedom of Information which came into force on 1 January 2012 (“Act”). Enforcement is through the National Authority for Data Protection and Freedom of Information (“Authority”).
Definition of Personal Data
Personal data shall mean any data relating to the data subject – in particular name, identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity – and any reference that can be drawn from such data in respect of the data subject. In the course of data processing, such data shall be treated as personal data as long
as the connection between the data and the data subject remains restorable. The data shall be considered subject to restoration, if the data controller bears the technical measures necessary for such restoration. Unless the data controller is directly able, by its technical capabilities, to trace the data back to the data subject, data shall not be considered as “personal data”. This so called “relative” nature of personal data, which in practice narrows the meaning of personal data, is only present in a few jurisdictions.
Definition of Sensitive Personal Data
Sensitive personal data shall mean:
■ personal data revealing racial, national or ethnic origin, political opinions and any affiliation with political parties, religious or philosophical beliefs, trade union membership or sex life; and
■ personal data concerning health, addictions, or criminal personal data.
National Data Protection Authority
National Authority for Data Protection and Freedom of information
Address: H-1125 budapest, Szilágyi Erzsábet fasor 22/c.
If a data controller intends to conduct data processing, it is obliged to file a request with the Authority. Data processing must be registered by the Authority before it can occur. The Authority will charge a fee for registration. The fee that will be charged is currently unknown, but is expected to fall within the range of EUR 20-30.
Should the Authority fail to respond to a request for registration within 8 days of the filing of such a request, data processing may be commenced.
No register is held and thus no request can be filed for processing personal data relating to data subjects employment, membership, or customer relationship with the data controller. Financial institutions, community service providers and electronic communication service providers are excluded from this exemption, i.e. they will be obliged to register even if they process the above data.
The notification should include the following information:
■ the purpose of processing;
■ the types of data and the grounds for processing;
■ the categories of data subjects;
■ the source;
■ the categories of data transferred, the recipients and the grounds for transfer;
■ the name and registered office of the data controller and the data processor, the place where records are stored and/or where processing is carried out, and the data processor’s activities in connection with data processing operations;
■ the name and contact information for the internal data protection officer (if any); or
■ the applied technology for data processing.
Data Protection officers
The following data controllers and data processors shall appoint or commission an internal data protection officer (“DPO”) (holding a law degree, a degree in economics or computer sciences or an equivalent degree in higher education) who is to report directly to the head of the organisation:
■ authorities that control or process personal data in respect of nationwide registers, or
authorities that control or process employment or criminal records;
■ financial institutions; and
■ telecommunications service providers and public utility companies.
As a new institution effective from 1 January 2012, the head of the Authority will convene a conference of the DPOs at least once a year to discuss data protection related matters.
Collection and Processing
Personal data may be collected and processed if;
■ the data subject has given his or her consent, or
■ this is required by an Act or by a decree of the local municipality based on the authorization conferred by an Act concerning the specific data as defined therein.
Personal data can also be processed if it is impossible to obtain the consent of the data subject or
it would cause disproportionate costs and the processing is necessary;
■ for compliance with a legal obligation to which the controller is subject; or
■ for the purposes of the legitimate interests of a third party, or the controller itself, where the assertion of such interests is proportionate with the interference in data protection rights.
Sensitive data may be processed if;
■ the data subject has given his or her explicit consent in writing, or
■ it is necessary to enforce an obligation prescribed by an international treaty, or for the enforcement of a constitutional right set forth in the Fundamental Law of Hungary, or prescribed by an Act for national security or law enforcement purposes regarding personal data revealing racial, national or ethnic origin, political opinions and any affiliation with political parties, religious or philosophical beliefs, trade union membership or sex life; or
■ the data is required by an Act for the purpose of public order in the case of personal data concerning health, addictions, or criminal personal.
Personal data may be processed only for specified and explicit purposes, where it is necessary
for exercising certain rights or fulfilling certain obligations. This purpose must be satisfied in all stages of operations of data processing.
The personal data processed must be essential for the purpose for which it was collected, it must be suitable to achieve that purpose, and it may be processed to the extent and the duration necessary to achieve that purpose.
Transferring personal data of data subjects within the EEA shall be considered as data transfer within Hungary. Transferring personal data to data processors within the EEA is possible without the consent of the data subjects. Under the Act a data processor is the person that is engaged in the processing of personal data on behalf of the controller, and the data processor
is carrying out “the technical operations in connection with the data management.” In practice an entity will be a data processor for the purposes of the Act where it acts on the basis of
the instructions (on behalf ) of the data controller and follows the predetermined rules and
Methodology set by the data controller.
The Act makes it possible to transfer personal data to third countries (ie to countries outside of the EEA) if the conditions (legal bases) of the data processing are satisfied (see above) and adequate level of protection is afforded in such third countries.
Data controllers, and within their sphere of activity, data processors must ensure personal data protection and must implement technical and organizational measures, as well as adequate procedural rules to enforce the provisions of the Act and other regulations concerning confidentiality and security of data processing.
Personal data must be protected against unauthorized access, alteration, transfer, disclosure, deletion, accidental deletion or damage as well as against being unable to access the data due to the change in the applied technology.
If multiple possibilities for data processing solutions exist, the solution to be chosen should provide a higher level of security for personal data, unless this would result in a disproportionate burden for the data controller.
There is no mandatory requirement in the Act to report data security breaches or losses to the
Commissioner or to data subjects.
As an exception rule, however, electronic communication service providers must immediately report data security breaches to the National Media and Info communications Authority under
Act No. 100 of 2003 on Electronic Communications.
As mentioned above the new Act introduced the so-called National Authority for Data Protection and Freedom of Information, an administrative body replacing the Commissioner. The leader of the Authority is the President, nominated by the Prime Minister and appointed by the President of the Republic, for a total term of 9 years. The Authority will have broader powers than the Commissioner before it.
The new Authority takes over the role of the Commissioner, but with greater powers. It will have the power necessary to ensure and enforce compliance with data protection laws. The newly created procedures of the Authority will be more differentiated and thorough and might consist of several phases, in accordance with the provisions of the new Act. These procedures will provide more effective tools for the Authority to protect the rights of the data subjects in connection with the processing of their personal data by data controllers.
The Authority will have several instruments to enforce compliance, the most important being:
■ ordering the correction of inadequate personal data;
■ ordering the block deletion or termination of illegally controlled personal data;
■ prohibiting the illegal controlling or processing of personal data;
■ prohibiting the transfer of personal data to foreign countries;
■ ordering the notification of the affected party, if the data controller illegally refused to do
■ imposing a fine ranging from HUF 100,000 (cca. EUR 350) to 10,000,000 (cca. EUR 35,000).
The Act will apply to most electronic marketing activities, as there is likely to be processing and use of personal data involved (e.g. an email address is likely to be “personal data” for the purposes of the Act).
Also, pursuant to Act 48 of 2008 on the Basic Requirements and Certain Restrictions of Commercial Advertising Activities, unless otherwise provided by specific other legislation, advertisements may be conveyed to natural persons by way of direct contact (hereinafter referred to as “direct marketing”), such as through electronic mail or equivalent individual communications only upon the express prior consent of the person to whom the advertisement is addressed. The request for the consent may not contain any advertisement, other than the name and description of the company.
The statement of consent may be made in any way or form, on condition that it contains the
name of the person providing it, and – if the advertisement to which the consent pertains may
be disseminated only to persons of a specific age – his place and date of birth, furthermore, any other personal data authorised for processing by the person providing the statement, including an indication that it was given freely and in possession of the necessary legal information.
The statement of consent may be withdrawn freely any time, free of charge and without any explanation. In this case all personal data of the person who has provided the statement must be promptly erased from the records and all advertisements must be stopped.
Pursuant to Act 100 of 2003 on Electronic Communications (“EC Act”), applying automated calling system free of any human intervention, or any other automated device for initiating communication in respect of a subscriber for the purposes of direct marketing, providing information, public-opinion polling and market research shall be subject to the prior consent of the subscriber.
Online Privacy (Including Cookies and Location Data)
The EC Act deals with the collection of location and traffic data by public electronic
Traffic Data – With certain special exceptions set out in the EC Act (e.g. invoicing, collecting subscriber fees, law enforcement, national security and defense), traffic data relating to subscribers and users processed and stored by CSPs while providing such services must be erased or made anonymous when it is no longer needed.
CSPs may use certain traffic data as referred to in the EC Act for the provision of value added services or for marketing purposes subject to the subscriber’s or user’s prior consent, to the extent necessary for the provision of such services or for marketing purposes. CSPs shall provide the possibility for users or subscribers to withdraw their consent at any time.
Location Data – CSPs shall be authorized to process location data only upon the prior consent of the subscribers or users to whom the data are related, and only to the extent and for the duration as it is necessary for the provision of value added services.
Users and subscribers shall have the right to withdraw their consent at any time.
CSPs shall be required to comply with any request for location information in connection with specific subscribers or users, if made by the investigating authority, the public prosecutor, the court or the national security service pursuant to the authorization conferred in specific other legislation, to the extent required to discharge their respective duties.
Cookie Compliance – Pursuant to the EC Act, on the electronic communication terminal equipment of a subscriber or user, information may be stored, or accessed, only upon the user’s or subscriber’s prior consent granted in possession of clear and comprehensive information, which information inter alia includes the purpose of processing.
The competent Hungarian Authorities have not issued any guidance in respect of the interpretation of “consent” and the manner how this consent should be obtained in practice. General practice is that consent can be obtained via browser settings; however, as mentioned so far this has not been confirmed by the opinion or the guidance of the Authorities yet.