For background, the entry into force of the GDPR created a "patchwork" regulation in which besides the GDPR, the national data protection act - Act CXII of 2011 on the Right of Informational Self-Determination and on Freedom of Information ("Act") - and several sectorial laws remained in force in unchanged form. This led to contradictions in the regulations and general legal uncertainty surrounding the topic. Though the new legislation is not a comprehensive review of all data protection-related regulations, it aims to clarify some important issues regarding the parallel application of the GDPR and the Act.
Scope of application of the Act
Unless otherwise prescribed by law or European regulation, data controllers or processors must apply the rules of the Act if
a) the controller's main establishment or the controller's only place of business within the EU is in Hungary or;
b) the controller's main establishment or the controllers' only place of business within the EU is not located in Hungary, but the data processing activity is connected to
- providing goods or services to data subjects staying in Hungary or
- monitoring data subjects' behaviour inside the territory of Hungary.
Most important novelties
Below we summarise the most important rules of the Amendment, which change the current legislation and/or supplement the GDPR:
(i) Legal base of mandatory data processing: If the data controller must process personal data to comply with its legal obligation, the legal base of the data processing activity must be based on an act issued by the Hungarian Parliament or a decree issued by the local government. If such laws (act or the local government's decree) do not provide a legal basis for the data processing activity, but the processing is necessary to the controller to fulfil its tasks set out by law, the controller must obtain the prior consent of the data subjects.
(ii) Mandatory review of data processing activity: If the data processing is mandatory (i.e. required by law), and the period or the necessity of revision of data processing activities is not determined by law or an EU act, the controller must revise its data processing activities at least every three years. The aim of the review is to decide whether the data processing activity is still necessary to achieve the original purpose. The revision must be documented and be retained for ten years.
(iii) Examination of the data subject's request: The controller must provide information on action taken at the request of the data subject within 25 days.
(iv) Rights of deceased persons: In five years after the death of the data subject, his/her rights relating to data processing may be exercised by an authorised person. In the absence of an authorisation, close relatives are entitled to exercise the deceased person's rights.
(v) Abolishment of the central data protection register of the authority: The Amendment abolishes the requirement of registering data processing activities with the supervisory authority. As a result, data controllers may process personal data without registration. Controllers will be required to keep their own registers as required by the GDPR.
The Amendment represents a significant step in harmonising the national legislation with the GDPR, but it leaves some loopholes (e.g. harmonisation of the sectoral data protection rules). These will presumably be subject to broader data protection reform that is expected in the autumn session of Parliament. In this transition period, the assistance of qualified legal advisors to achieve compliance with the GDPR and the multiple national data protection laws is of even higher importance.
We're on top of legal developments in Austria and CEE. Are you? Subscribe to our weekly updates!
Hungary: GDPR Considerations in M&A Transactions