Privacy Law at Hungary
Privacy Law in Hungary is governed by a combination of national legislation, aligned with European Union regulations, particularly the General Data Protection Regulation (GDPR), as well as the Hungarian Constitution and local laws. Here’s an overview of privacy and data protection law in Hungary:
1. General Data Protection Regulation (GDPR)
As a European Union (EU) member state, Hungary is bound by the General Data Protection Regulation (GDPR), which is the cornerstone of data privacy law in all EU countries. The GDPR came into effect on May 25, 2018, and sets strict guidelines on how personal data is handled, processed, and protected.
Key Elements of the GDPR Relevant to Hungary:
Scope: The GDPR applies to all organizations operating in the EU or those that process the personal data of EU citizens.
Data Protection Principles: It mandates that personal data be processed lawfully, fairly, and transparently, and that it be collected for specific, legitimate purposes.
Rights of Individuals:
Right to Access: Individuals have the right to access the personal data an organization holds about them.
Right to Rectification: Individuals can correct inaccurate data.
Right to Erasure ("Right to be Forgotten"): Individuals can request that their data be deleted under certain conditions.
Right to Data Portability: Individuals can request that their data be transferred to another organization.
Right to Object: Individuals can object to data processing in certain circumstances, including for marketing purposes.
Right to Restrict Processing: Individuals can restrict the processing of their data in some cases.
Fines and Penalties: Under the GDPR, organizations that fail to comply can be subject to significant fines—up to €20 million or 4% of their global annual turnover, whichever is greater.
2. Hungarian Data Protection Legislation
While Hungary follows the GDPR, it also has specific national regulations that complement and implement the GDPR’s requirements. The key legislation in Hungary is:
The Act on Information Self-Determination and Freedom of Information (Act CXII of 2011)
This act provides additional details on personal data protection in Hungary and serves as the country’s primary data protection law.
Key elements of this law include:
Data Subject Rights: It outlines the rights of individuals over their personal data, including access, rectification, erasure, and objection.
Data Processing: It establishes rules for when and how personal data can be processed, requiring that data processing activities must be based on specific legal grounds (such as consent, contractual necessity, or compliance with legal obligations).
Data Security: The law requires data controllers to take appropriate technical and organizational measures to protect personal data from breaches.
Transparency and Notification: Organizations are required to inform individuals about how their data will be used, and in some cases, must notify the National Authority for Data Protection and Freedom of Information (NAIH) about their data processing activities.
3. National Authority for Data Protection and Freedom of Information (NAIH)
The National Authority for Data Protection and Freedom of Information (NAIH) is the supervisory authority responsible for ensuring compliance with data protection laws in Hungary.
Responsibilities of NAIH:
Supervisory Functions: It has the authority to investigate complaints, monitor compliance, and carry out audits of data controllers and processors.
Enforcement and Penalties: NAIH can impose fines, order corrective actions, and issue bans on certain data processing activities.
Public Awareness: NAIH plays an important role in educating the public about their data protection rights and ensuring transparency in the data processing sector.
Website: National Authority for Data Protection and Freedom of Information (NAIH)
4. Data Breach Notification
Under both the GDPR and Hungarian law, organizations must notify the NAIH within 72 hours of discovering a personal data breach, provided the breach is likely to result in a risk to the rights and freedoms of individuals. The organization must also inform the affected individuals if the breach is likely to result in a high risk to their rights and freedoms.
5. Special Categories of Data
Hungary, in line with the GDPR, recognizes certain types of special category data, which require higher protection due to their sensitive nature. These include:
Racial or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic or biometric data
Health data
Data related to a person’s sex life or sexual orientation
Processing of such sensitive data is prohibited unless specific conditions apply, such as obtaining explicit consent from the data subject or fulfilling specific legal obligations.
6. Children’s Data
In Hungary, as in the rest of the EU, children’s data is subject to additional protections under the GDPR. The minimum age for a child to consent to data processing is 16 years. However, national laws can set a lower age limit, and Hungary has set it at 13 years old for children to give valid consent for processing personal data related to online services.
7. Direct Marketing and Consent
Hungary follows the GDPR’s provisions on direct marketing and unsolicited communications. Organizations must obtain explicit consent from individuals before sending direct marketing materials, including via email, phone, or SMS. The individual must also have the right to opt-out at any time, and the organization must provide an easy way for individuals to withdraw consent.
8. Cross-Border Data Transfers
Like all EU member states, Hungary adheres to the GDPR’s rules on international data transfers. Personal data may only be transferred outside the EU/EEA under specific conditions, such as:
Adequacy decisions: If the European Commission has determined that the recipient country ensures an adequate level of data protection (e.g., countries like Canada or Japan).
Standard Contractual Clauses (SCCs): Organizations can use SCCs to ensure appropriate safeguards are in place for data transferred outside the EU.
Binding Corporate Rules (BCRs): Multinational organizations can use BCRs as internal policies that govern international data transfers within their group.
9. Enforcement and Penalties
Non-compliance with privacy laws can result in severe penalties in Hungary:
Under the GDPR, fines can be up to €20 million or 4% of the global annual turnover, whichever is higher, for serious infringements.
In addition to fines, organizations may be subject to orders to cease or rectify their data processing practices and compensation claims by individuals whose data rights have been violated.
The NAIH has the authority to investigate, impose fines, and enforce compliance.
10. Recent Developments
In recent years, there have been several high-profile cases in Hungary involving data privacy, particularly in areas like:
Online data processing and surveillance
Health data protection (especially during the COVID-19 pandemic)
Smart city initiatives and public surveillance systems, where the use of biometric data or location tracking has raised privacy concerns.
Hungary’s NAIH has been increasingly active in providing guidance to both public and private sectors on how to comply with the evolving privacy and data protection laws.
11. Conclusion
Hungary has a strong legal framework for privacy and data protection, primarily grounded in the GDPR and complemented by national laws such as Act CXII of 2011. The NAIH plays an essential role in overseeing compliance and ensuring that data subjects' rights are respected. While Hungary’s privacy laws are in line with EU standards, organizations must remain vigilant about data security, cross-border transfers, and individual rights to avoid penalties and ensure compliance.
RELATED Blog
0 comments