Data Privacy and Cybresecurity

GDPR Guide to National Implementation: Hungary

A practical guide to national GDPR compliance requirements across the EEA

Article
|
18 min read

Hungary

In this chapter:

Q1/ Applicable legislation

Q2/ Personal data of deceased persons

Q3/ Legal bases for processing

Q4/ Consent of children

Q5/ Processing of sensitive personal data

Q6/ Data relating to criminal offences or convictions

Q7/ Exemptions

Q8/ Restrictions on data subjects’ rights

Q9/ Joint controllership

Q10/ Processor

Q11/ Data protection Impact Assessments

Q12/ Prior authorisation and public interest

Q13/ DPOs

Q14/ International data transfers

Q15/ DPAs

Q16/ Claims by not-for-profit bodies

Q17/ Administrative fines, penalties and sanctions

Q18/ Freedom of expression and information

Q19/ National identification numbers

Q20/ Processing in the context of employment

Q21/ Other material derogations

Q22/ Current legal challenges

Q23/ Enforcement

Q24/ Regulatory Guidance

———

[back to top of page]

 

 

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

Old legislation has been updated.

———

(b) Relevant legislation includes:

  • Act CXII of 2011 on the Right of Informational Self- Determination and on Freedom of Information (the “Data Protection Act”)
    • Date in force: 26 April 2019
    • Link: In Hungarian: 
      see here
       
  • Act XLVII of 1997 on the processing and protection of personal data concerning health (the “Health Data Processing Act”)
    • Date in force: 26 April 2019
    • Link: In Hungarian: see here

———

(c) What is the status of national pre-GDPR data protection law?

The relevant pre-GDPR legislation has been revised.

———

[back to top of page]

 

 

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

The rights of a deceased person may be exercised within five years following their death by a person designated by the relevant data subject, by means of an administrative disposition, or by a statement executed before the controller, with the last statement prevailing if the data subject made more than one such statement before a single controller. Where the data subject did not specify a person as per the above, their close relative (as defined in the civil code) is entitled to exercise the rights referred to in the GDPR for five years following the death of the data subject.

———

[back to top of page]

 

 

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

Where processing is carried out under Art. 6(1)(c) GDPR, the Act or decree imposing the processing obligation must specify the following:

  • the type of data;
  • the purpose and conditions of processing;
  • the rules regarding access to such data;
  • the identity of the controller; and
  • the duration and periodic review of the processing operation.

———

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

A body with public service functions may disclose to the public personal data and personal data of public interest they may have on file to any person (unless such data is classified under relevant statutes). Information of public interest can be made available to anyone upon verbal request, in writing or by electronic means.

———

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

There are no specific rules governing this issue.

———

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue.

———

[back to top of page]

 

 

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

16 years of age.

———

[back to top of page]

 

 

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

All sensitive personal data can be processed if the data subject’s valid consent has been obtained.

———

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

Employees’ biometric data may be processed for identification purposes where this is necessary to prevent unauthorised access (whether to a thing or to data) if such access would cause serious or significant irreversible harm, including to the life, physical integrity or health of the employee or others, or major interests protected by law. Major protected interests include information classified as confidential, and interests relevant to safeguarding firearms, ammunition, explosives, safeguarding toxic or hazardous chemical substances or biological material, etc.

(ii) Substantial public interest

There are no specific rules on processing this category of data.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

Employers may process data relating to the working capacity of employees only where this is carried out on the basis of a specific legal (or regulatory) provision.

(iv) Public interest in the area of public health

There are no specific rules on processing this category of data.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

There are no specific rules on processing this category of data.

———

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

There is specific legislation regulating the protection of genetic data and health data.

The Health Data Processing Act regulates the processing of health-related sensitive personal data. The legislation applies to healthcare providers, all members of the healthcare profession and all legal entities that process health data. Different purposes for processing personal data are specified in the legislation, for example, medical diagnosis and medical treatment, epidemiology and occupational health, public health, statistical purposes, scientific research, etc. The legislation also regulates the processing of health data in the national healthcare network’s IT system operated by the State, along with several other databases and registers.

Specific legislation determines the conditions and purposes of processing human genetic data, including which entities are authorised to process such data, the extent to which the right of access applies and the implementation of specific safeguards (such as the requirement to obtain written consent from data subjects).

———

[back to top of page]

 

 

Q6/ Data relating to criminal offences or convictions

Under what conditions does national law permit the processing of personal data relating to criminal convictions?

Personal data from criminal records processed for the purpose of prevention, investigation and prosecution of criminal activities and for administrative and law enforcement purposes, and data files containing information pertaining to misdemeanour, civil cases and non-contentious proceedings, and for contentious and non-contentious administrative proceedings may only be processed by central or local government authorities.

The provisions on the processing of sensitive data will apply to the aforementioned data unless other legislation (national, international or from the EU) provides otherwise.

———

[back to top of page]

 

 

Q7/ Exemptions

(a) Does national law specify exemptions to a data subject’s right to erasure?

There are no specific exemptions to the right to erasure.

———

(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?

There are no specific exemptions to the right to be provided information.

———

(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?

There are no specific exemptions to the right to not be subject to automated individual decision-making.

———

[back to top of page]

 

 

Q8/ Restrictions on data subjects’ rights

Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?

There are no additional restrictions on data subjects’ rights.

———

[back to top of page]

 

 

Q9/ Joint controllership

Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?

There are no additional rules on apportionment of liability between joint controllers.

———

[back to top of page]

 

 

Q10/ Processor

In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?

There are no additional pieces of legislation.

———

[back to top of page]

 

 

Q11/ Impact Assessments

Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?

An Impact Assessment will be required in the case of mandatory data processing, in particular, the mandatory data processing required for law enforcement, national security and defence purposes.

———

[back to top of page]

 

 

Q12/ Prior authorisation and public interest

Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?

Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.

———

[back to top of page]

 

 

Q13/ DPOs

(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?

DPOs are only mandatory in the circumstances set out in Art. 37(1) GDPR.

———

(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?

The DPO is required to keep confidential any personal data, classified information, secrets protected by law and secrets obtained during the performance of their duties, as well as any other data, facts or circumstances that the DPO’s employer is not required by law to make available to the public during the term of employees’ employment and after the termination thereof.

———

[back to top of page]

 

 

Q14/ International data transfers

(a) Does national law make specific rules about transfers of personal data from public registers?

Data transfers from public registers are not subject to specific rules.

———

(b) Does national law restrict the transfer of specific categories of personal data to third countries?

Data transfers are not subject to restrictions beyond those set out in the GDPR.

———

[back to top of page]

 

 

Q15/ DPAs

(a) Details of the DPA(s).

  • Name of DPA: Hungarian National Authority for Data Protection and Freedom of Information

———

(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?

Not applicable as there is only one DPA.

———

(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?

Not applicable.

———

(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?

The DPA has the following additional powers:

  • to make recommendations for new regulations and for the amendment of legislation pertaining to the processing of personal data, public information and information of public interest, and to express its opinion on bills relating to this topic;
  • to publish a report on its activities each year, by 31 March, and to present this report to Parliament;
  • to make recommendations in general, or to specific controllers;
  • to give an opinion on special and ad hoc publication lists relating to the activities of certain public bodies;
  • to collaborate with the entities and persons (e.g., National Tax and Customs Administration) representing Hungary amongst the EU DPAs; and
  • to organise conferences for DPOs.

———

(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?

There are no specific rules on this issue.

———

(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?

There are no specific rules on this issue.

———

[back to top of page]

 

 

Q16/ Claims by not-for-profit bodies

Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?

There are no not-for-profit bodies that are specifically mandated to bring such claims.

———

[back to top of page]

 

 

Q17/ Administrative fines, penalties and sanctions

(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?

Public authorities may be fined an amount ranging between HUF 100,000 (approx. €280) and HUF 20 million (approx. €55,000) where such a fine is imposed under Art. 83 GDPR.

———

(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?

There are no additional penalties or sanctions.

———

[back to top of page]

 

 

Q18/ Freedom of expression and information

(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?

The processing of personal data is deemed fair and lawful if, for the purpose of ensuring the data subject’s right to the freedom of expression, the person wishing to find out the opinion of the data subject visits him or her at his or her domicile or place of residence, provided that the data subject’s personal data are processed in compliance with the Data Protection Act and contacting him or her is not for business purposes.

———

(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?

Entities or persons conducting scientific research may disclose personal data if it is necessary to demonstrate the findings of research relating to historical events.

———

[back to top of page]

 

 

Q19/ National identification numbers

Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?

Organisations in certain sectors (e.g., financial services institutions, insurance funds, providers of accountancy and auditing services) are entitled to process national identification numbers for specific statutory purposes relating to the prevention and combating of money laundering and terrorist financing.

———

[back to top of page]

 

 

Q20/ Processing in the context of employment

(a) For what purposes can employees’ personal data in the employment context be processed under national law?

Employees’ personal data may be processed in the employment context for the following purposes:

  • for the purpose of exercising the rights and fulfilment of obligations stated in Hungarian Labour Code;
  • for the purpose of identification of employees; or
  • for the purpose of determining whether the prospective or actual employment of the relevant person is restricted or prohibited by law or by a decision of the employer (e.g., because of criminal records).

———

(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?

The following safeguards apply:

  • the privacy rights of employees may be restricted if deemed strictly necessary for reasons directly related to the intended purpose of the employment relationship and if proportionate for achieving its objective. The means and conditions for any restriction of rights relating to personality and the expected duration must be communicated to the relevant employees in advance and in written form;
  • in general, employees may not waive their rights relating to personality in advance. Any legal statement concerned with the privacy rights of an employee will be formally valid if made in writing;
  • employers are entitled to request statements and disclosure of personal data from the employees if it is necessary for the establishment, performance and termination of the employment relationship;
  • work councils and trade unions could also request statements and disclosure of personal data under the employment relationship;
  • employees’ biometric data may be processed for identification purposes where this is necessary to prevent unauthorised access (whether to a thing or to data) if such access would cause serious or significant irreversible harm, including to the life, physical integrity or health of the employee or others, or major interests protected by the law. Major protected interests include information classified as confidential, and interests relevant to safeguarding firearms, ammunition, explosives, safeguarding toxic or hazardous chemical substances or biological material, etc.; and
  • employers may monitor employees’ behaviour through the use of technical tools. Employers are entitled to access the data stored on the computing device provided to the employer to enable the employee to perform their work.

———

[back to top of page]

 

 

Q21/ Other material derogations

Are there any other material derogations from, or additions to, the GDPR under national law?

There are no other material derogations.

———

[back to top of page]

 

 

Q22/ Current legal challenges

Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?

There are no current legal challenges ongoing.

———

[back to top of page]

 

 

Q23/ Enforcement

Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?

The DPA has taken enforcement action for breaches of the GDPR, including:

  • against a political party, issuing them with an administrative fine of HUF 11 million (approx. €34,400) for the infringement of Arts. 33 & 24 GDPR; and
  • against a cultural management company, issuing them with an administrative fine of HUF 30 million (approx. €92,300) for the infringement of Arts. 5(1)(b)-(c), (2) & 6 GDPR.

———

[back to top of page]

 

 

Q24/ Regulatory Guidance

Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?

The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law (in Hungarian):

  • guidance on the role of local authorities as controllers and their policy making obligations (see here);
  • guidance on the role of Hungarian branch offices of foreign registered companies as controllers (see here);
  • guidance on data processing activities of professional chambers (see here);
  • guidance on data processing activities of employers in relation to biometric data of the employee’s chambers (see here); and
  • guidance on data processing activities of employers related to the extraction of criminal records of employees (see here).

———

[back to top of page]

 

 

Germus & Partners contributors

Gábor Germus

Gábor Germus
Office Managing Partner, Germus & Partners
T +36 1 279 3330
E gabor.germus@germus.hu

Dr. Gábor Germus graduated from the Faculty of Law at Eötvös Loránd University in 1994, including receiving a Tempus scholarship to Nijmegen, the Netherlands, in 1992 to deepen his knowledge. He pursued his studies and research in Koblenz, Germany, in 1997 with a DAV scholarship. Gábor is a managing partner of the firm. His working languages are Hungarian, English and German. Gábor regularly advises international corporate clients in various legal fields including privacy and data protection.

Ákos Kékuti

Ákos Kékuti
Partner, Germus & Partners
T +361 279 3330
E akos.kekuti@germus.hu

Dr. Ákos Kékuti LL.M. is the founding partner of Germus & Partners Attorneys-At-Law in 2009. He graduated summa cum laude in 2001 at the Faculty of Law of Eötvös Loránd University, then he graduated “sehr gut” in 2002 at Heidelberg University in Germany. He participated in the Philip C. Jessup International Law Moot Court Competition in Washington, DC, as a contestant in 2001 and as a coach between 2003 and 2004. At the same time he was a visiting lecturer at the Department of Public International Law of Eötvös Loránd University. His working languages are Hungarian, German and English. Ákos is the head of the privacy and data protection group of the firm, and has participated in several GDPR audits and procedures before the National DPA.

———

[back to top of page]

 

 

Other chapters

———

See also:

Our Global Data, Privacy & Cybersecurity Practice »

GDPR Handbook: Unlocking the EU General Data Protection Regulation »

———

[back to top of page]

 

 

This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP

 

Top