The new constitution of Hungary (the Fundamental Law) was adopted in 2011 and entered into force on 1 January 2012.2 The Fundamental Law contains a section on 'Freedom and Responsibility', which describes the fundamental rights of individuals. Article VI(1) of the Fundamental Law generally provides that everyone is entitled to respect for his or her private and family life, home, communications and good reputation, whereas Article VI(2) provides for the right to the protection of personal data as well as for the right to access and disseminate information of public interest. In addition, Article VI(3) states that an independent authority shall be responsible for the enforcement of the protection of personal data and freedom of access to data of public interest.
The Hungarian Civil Code, which was adopted in 2013 and entered into force on 15 March 2014, also contains provisions concerning privacy rights. The general rules on the protection of personality rights (including the right for the protection of personal data) are set out in the Civil Code, which provides the basic rules for civil law relationships. Accordingly, personality rights can be exercised freely within the framework of the law and within the rights of others. The exercise of such rights shall not be impeded by any other person. However, personality rights shall not be considered as having been violated if the person has given prior consent.
Although the above legislation contains general principles and clauses, the recent introduction of the European General Data Protection Regulation (GDPR) has caused quite a change in Hungary's single legislative privacy regime. The general rules of the protection of personal data and freedom of information from 25 May 2018 are contained in the GDPR and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (the Privacy Act) will be secondary to the general rules that are to be applied throughout the European Union. As of July 2018, the bill for the amendment of the Privacy Act, for the sake of GDPR compliance, is being discussed by the Hungarian parliament. It is likely that the final version of the Privacy Act will be published later in the summer. It is interesting that a draft for the amendment had been issued for comments by professionals last autumn, but it was withdrawn because the government was not satisfied with the draft, and now the same amendment is being discussed by the parliament even though it suffers from the same defects as last autumn, namely that the draft did not make use of the possible points of departure from the GDPR text where it is allowed.
In the meantime the Privacy Act underwent a minor modification so that the Hungarian Data Protection Authority (DPA) has been appointed to act as a supervisory authority under the GDPR. This minor amendment also stipulated that the legal consequences of a breach of data protection laws will be punished with just a warning for the first time if this is possible under the circumstances of the case.
The entity responsible for enforcing the data protection law is the DPA. The DPA aims to guarantee the rights of individuals to exercise control over their privacy and to have access to data of public interest and public data on the grounds of public interest. The GDPR and the Privacy Act are regarded as background legislation for specific statutes regulating the collection and processing of personal data.
The GDPR and the Privacy Act should be considered as the general legislation providing rules regarding the protection of personal data and the disclosure of public data. Beyond this scope, there are other sectoral acts (e.g., the Labour Code, Electronic Communications Act, etc.) that provide additional data protection-related provisions. The processing of medical, criminal, electoral and citizenship data is regulated by other acts.
In Hungarian data privacy regulation, the role of NGOs and self-regulatory industry groups, as well as society or advocacy groups, is marginal, and there are no specific Hungarian laws providing for government surveillance powers.
The government approved the National Cybersecurity Strategy, which determines the national objectives and strategic directions, tasks and comprehensive government tools to enable Hungary to enforce its national interests in Hungarian cyberspace, within the context of the global cyberspace. The strategy aims to develop a free and secure cyberspace and to protect national sovereignty.
II THE YEAR IN REVIEW
The year 2018 so far has been all about the preparation for the new regime of the GDPR. Many related publications and opinions have been issued by private sector market participants and also by the DPA, however, it can be stated that the DPA follows the general guidelines of the Working Party 29 in all matters, therefore most of the DPA's guidelines can be considered as translations of the guidelines used throughout the EU.
As a first-wave preparation aid, the DPA published a localised version3 of the UK Information Commissioner's Office's 12-point list on how to get ready for the GDPR. Subsequently, in its annual report,4 the DPA dedicated a whole chapter to analysing and describing the most important developments of the GDPR, and even provided comparisons with the local Privacy Act to explain the key changes that the GDPR will introduce when it enters into force.
As mentioned earlier, at the end of August 2017, a bill of law has been submitted to the parliament with the aim of harmonising the Privacy Act with the new – directly applicable – GDPR. The general and detailed debate on the bill, and hopefully its adoption, will take place in the summer session as discussed above.
In 2018 the DPA has seen its staff expanded and approximately 40 colleagues have been hired to ensure that the DPA is able to handle the workload caused by the changes resulting from the introduction of the GDPR.
III REGULATORY FRAMEWORK
i Privacy and data protection legislation and standards
The GDPR and the Privacy Act regulate the protection of personal data in Hungary. The GDPR, in force since 25 May 2018, and the Act, which was enacted in 2011 and entered into force on 1 January 2012,5 purports to guarantee the right of everyone to exercise control over his or her personal data and to have access to data of public interest.
There are two categories of protected information: 'personal data' and 'sensitive data'. There is also a third category of data named 'data of public interest'; this is beyond the scope of the GDPR but the Privacy Act contains regulations for this category of data, as well.
The GDPR and the Privacy Act apply to all data processing and technical data processing that is carried out in Hungary or that aims at Hungarian data subjects, and that pertains to the data of physical persons. The GDPR and the Privacy Act regulate the processing of data carried out wholly or partially by automatic means, and the manual processing of data.
Personal data are defined in Article 3.2 of the Act as any data relating to the data subject – a specific (directly or indirectly identified or identifiable) natural person – and any conclusion with respect to the data subject that can be inferred from that data, in particular by reference to his or her name, identification code or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For the purposes of the GDPR, the term personal data is very similar: 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The term 'special data' (sensitive data) is defined by the Privacy Act as information on a data subject's racial and national origin, political opinion or party affiliation, religious or ideological beliefs, or membership of any special interest organisations, as well as his or her state of health, pathological addictions, sex life or criminal personal data.6 Now the GDPR provides a similar term as follows: processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited.
Please note that the basic standpoint of the GDPR is different from the approach of the Privacy Act, as the GDPR prescribes that the processing of categories of sensitive data is prohibited and they may be processed only if certain exceptions listed in GDPR Article 9(2) are applicable.
The Privacy Act also protects data of public interest and data that are public on grounds of public interest. The term 'data of public interest' is defined to include any information or knowledge, not falling under the definition of personal data, processed by an organ or person performing a state or local government function or other public function determined by law.7
A data controller has been defined by the Privacy Act as any natural or legal person, or any organisation without legal personality, who or which, alone or jointly with others, determines the purpose of the processing of personal data, makes decisions on data processing (including those as to the means of the processing), and implements these decisions or has them implemented by the technical data processor he or she has assigned, whereas the new GDPR contains the following definition: 'controller' means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.
The Act identifies a 'data processor' as any natural or legal person or organisation without legal personality that carries out the technical processing of personal data based on a contract with the data controller – including the conclusion of a contract pursuant to a rule of law. Under the GDPR 'processor' means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
The GDPR and the Act apply to both types of data processing entities, namely data controllers and data processors, with some different provisions applying to technical data processing.
The data controller is always responsible for the lawfulness of the instructions given for the data processing operations of its outsourced data processor.
The data processor shall process personal data in compliance with the specific instructions of the data controller; consequently, the processor cannot make any decisions concerning data processing.
It has been noted that, as of 1 July 2013, a data processor may contract out processing operations to another processor in line with the instructions of the data controller.8 This regulation is also incorporated into the GDPR by default.
Data protection audits
With effect from 1 January 2013, the DPA provides data protection audits as a service to data controllers who request it. The DPA may charge an administrative fee for the audit that cannot exceed 5 million forints. The relevant aspects of DPA audits have been published on the DPA's website.9 This will be possible even in the GDPR era but there will be other means as well to check the data protection law compliance: prior consultation in accordance with Article 36 GDPR as a data controller shall consult the supervisory authority (i.e., the DPA) prior to processing where a data protection impact assessment under Article 35 GDPR indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.
Protection of consumers
The Direct Marketing Act identifies numerous obligations for marketing organisations to ensure the protection of consumers, and particularly restricts the use of the name and home address of natural persons for marketing purposes.10 Notably, the provisions of the Direct Marketing Act are only applicable where the marketing materials are sent by post. Marketing materials sent by electronic means are regulated by the Advertising Act and the e-Commerce Act. In this regard the GDPR brings some novelties as Recital (47) contains that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest and this implies that no consent is required as a legal basis for such data processing which means a significant change from the previous Hungarian approach. It is also true that the above indicated Hungarian Acts are in conflict with the GDPR as they have not been amended yet, therefore the Hungarian situation may be regarded as dubious as long as the domestic laws are not made to be compliant with the GDPR.
ii General obligations for data handlers
According to the GDPR Processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
Before collecting information from an individual, the controller must indicate to the data subject whether data processing is based on consent or relies on any other legal ground. In addition, the data controller must provide the data subject with unambiguous and detailed information on all the facts relating to the processing of his or her data in line with Article 13/14 GDPR.
Regarding online data, Act CVIII of 2001 on Certain Issues of Electronic Commerce Services and Information Society Services provides, inter alia, that information means any data, signal or image that can be processed, stored and transmitted by electronic means irrespective of whether its content is protected by law; and information society service means remote services provided by electronic means, generally for payment, and accessed by the recipient of the service individually.
According to this Act, the service provider may process personal data that is suitable and sufficient for the identification of the recipient of the service for the purposes of:
- drawing up a contract for the service in question;
- determining and modifying the contents and monitoring the performance of the service;
- charging for the service; and
- enforcing claims relating to the service.
The recipient of the service shall be allowed – at all times before and during the course of using the information society service – to prohibit the data processing.
Requirements of preliminary notices
As mentioned above, data controllers must provide data subjects with unambiguous and adequately detailed information on the circumstances of the processing of his or her personal data. On 9 October 2015, the DPA issued an official recommendation11 regarding the minimum requirements for preliminary notices provided to data subjects prior to the commencement of the processing of their personal data. While these recommendations are generally considered soft law, in the event of an investigation, the DPA will check whether the data controller meets these requirements. This recommendation continues to be in force as it is compliant with the GDPR text.
The recommendation sets out general principles regarding the quality and accessibility of notices, and also contains explanations pertaining to the applicable provisions of the Privacy Act. According to the recommendation, preliminary notices shall:
- be clear: repeating the words of the Privacy Act is not adequate, and the use of everyday wording is suggested;
- be readable and comprehensible: the text of the notice shall be structured and easy to understand;
- align with the set of concerned data subjects: if during the course of the data processing the set of data subjects can be easily determined, then the notice shall align with the specific requirements of the data subjects;
- not be considered a legal statement: the notice itself is not a legal statement. However, the information therein may have a greater impact on the data subjects' consent (which is a legal statement). Should the notice be considered a legal statement, its clarity and transparency would be weakened by the details required by law;
- describe unique data processing: the document fulfils its role as a notice if it contains the unique data processing regulations concerning the specific data controller; and
- be available and accessible: the notice shall always be accessible for the data subject at the time when his or her personal data are being collected.
For the purposes of preliminary notices Articles 13 and 14 of the GDPR shall also be taken into consideration.
Data security incident register12
According to Article 15(1a) of the Privacy Act, for subsequent countermeasure examinations by the DPA and for data subject notification purposes, the data controller shall keep a record of all data regarding data security incidents. The register shall contain:
- the personal data concerned;
- the scope and number of subjects affected by the data security incident;
- the date, time, circumstances and effects of the incident; and
- countermeasures carried out.
Additionally, GDPR introduced a new regime for notifying data breaches to the DPA and in certain cases to the data subjects. The detailed rules can be found in Articles 33 and 34 GDPR: in the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification shall contain the nature of the personal data breach, name and contact details of the data protection officer, the likely consequences and the measures taken or proposed to be taken by the controller to address the personal data breach.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Database registration requirements
Under the new GDPR rules, the DPA does not keep a registry of data processing activities.
Rights of data subjects
Articles 15-21 GDPR contain the rights of the data subjects, such as: right of access by the data subject, rectification and erasure (right to be forgotten), restriction of processing, right to data portability and the right to object. Data subjects may request information on the processing of their personal data, such as which data are processed by the data controller or its data processors; about the purpose of the processing, its legal basis, its duration and the name, address and activity of the data processor; and, should there be one, on the circumstances of any data protection incident.13 They also have the right to know who has received or will receive their data, and for what purpose. The data controller must give this information within a month and in an easily understandable manner. Data controllers must provide this information in written form if this is requested by the data subject.
The GDPR and the Privacy Act requires data controllers to rectify any inaccurate personal data. In addition, it provides for the deletion of personal data if the processing is unlawful, if this has been requested by the data subject, or if this has been ordered by a court or the DPA.14 A data controller must delete data that is incomplete or inaccurate and cannot be corrected in a lawful way, unless the deletion is prohibited by another law. It must also destroy data when the purpose of processing has ceased to exist, or when the time limit for the storage of the data has expired.
Right to objection
Article 21 of the Privacy Act and Article 21 of the GDPR grant data subjects the right to object to the processing of their data in numerous circumstances. These include, for example, when the processing is necessary only for enforcing a right or legitimate interest of the data controller or third party, unless the data processing has been ordered by law.
When an objection has been filed, the data controller must suspend the use of the data while investigating the complaint. It must respond to the request promptly, within a month.
Redress and enforcement rights
Any individual may file a complaint with the DPA if he or she thinks that his or her rights have been violated, or that there is an imminent danger of such a violation, except when judicial proceedings are already pending concerning the case in question.
Under the GDPR the maximum sum of a data protection fine that can be imposed upon a person or entity responsible for a data security incident increased to 10 or 20 million Euros, respectively, for different breaches of data protection law as detailed in Article 83(4)–(5) GDPR.
Data controllers are held liable under the Privacy Act and the GDPR for any damage suffered by data subjects as a result of the unlawful processing of their data or the infringement of the data protection requirements in the Privacy Act. As of 15 March 2014, the data subject may also claim exemplary damages – namely, lump sum damages that can be awarded by the court as compensation for harm sustained from the infringement of privacy rights by the data controller as a result of unlawful data processing or a breach of data security requirements.
iii Technological innovation and privacy law
More detailed regulatory frameworks apply to several data privacy issues.
The Labour Code generally authorises employers to introduce monitoring measures.15 It allows employers to monitor the conduct of employees; however, such measures may be taken only in the context of employment. Further, the means used for monitoring may not violate the human dignity of the worker. To exclude all possibility of doubt, the Labour Code also states that the private life of the employee cannot be monitored, which is in conformity with the practice of the European Court of Human Rights. In addition, the employer must give notice to employees, in advance, of the use of technical means serving to control or monitor employees' conduct.
On 30 January 2013, the DPA issued a recommendation on video surveillance in the workplace, which addresses the issues of legal basis, guarantees, data retention, notice and registration requirements relating to the operation of surveillance systems.16
Based upon the DPA's recommendation, if video surveillance involves or affects third parties (such as visitors), the DPA must be notified of the data processing relating to the surveillance system. Notification and registration are also required if the surveillance system is not operated by the employer directly, but by a service provider (security service) that is considered the sole controller of the system.
On 28 October 2016, the DPA issued a guideline concerning the basic requirements for workplace data processing operations.17 The guideline consists of two major parts, the general principles and the special rules for specific data processing operations.
In the first chapter, the guideline compares the principles (purpose, limitation, necessity and proportionality) of the Privacy Act and the Labour Code, and concludes with a joint interpretation of them with respect to workplace data processing activities. Certain privacy-related legal constructs are also explained from a labour law point of view, such as the legal basis of the data processing (consent, mandatory processing, and legitimate interest), the requirement to provide privacy notices to the data subjects prior to the commencement of processing, and cross-border transmission of employee personal data.
The second chapter of the guideline contains basic requirements concerning data processing operations for the following purposes:
- job applications (including anonymous job applications);
- monitoring applicants' social media history;
- retention of applications and CVs;
- data processing by private employment agencies;
- aptitude tests;
- ability to require a clean criminal record from employees;
- workplace CCTV surveillance;
- monitoring the use of corporate email accounts;
- monitoring the use of corporate portable devices (laptops and notebooks);
- monitoring internet usage on corporate devices;
- monitoring the use of corporate mobile phones;
- applicability of use and implementation of GPS navigation systems;
- applicability of use and implementation of biometric systems; and
- requirements for the operation and maintenance of whistle-blowing systems.
Restriction on cookies
In November 2009, the European Commission adopted Directive 2009/136/EC (2009 Directive), and this amendment was to be implemented in the laws of each of the European Union Member States by 25 May 2011.
Article 3(5) of the 2009 Directive was implemented in Hungary by Section 155(4) of the Hungarian Act on Electronic Communications, which generally provides that data may be stored or accessed on the terminal equipment of the subject end user or subscriber after the provision of clear and comprehensive information, including the purpose of the data processing, if the corresponding consent of the end user or subscriber has been granted.
Cloud Computing Circular released by the HFSA
The Hungarian Financial Supervisory Authority (HFSA) – which merged with the Central Bank of Hungary on 1 October 2013 – released an executive circular (4/2012)18 on the risks of public and community cloud services used by financial institutions, namely banks, insurance companies and financial service providers in Hungary. The executive circular qualifies the use of cloud services by financial institutions as 'outsourcing', and notes that sectoral legislative rules shall be considered. Accordingly, the cloud service provider shall comply with the same requirements applicable to financial institutions in terms of personnel, material and security conditions.
The HFSA advises financial institutions to take into account, in a proportionate manner, the risks of outsourcing, and to choose a provider and the technical means of outsourcing accordingly. The HFSA announced that it would examine the legal compliance of the technical and contractual implementation of the use of cloud services in on-site audits.
Location tracking in relation to employment
According to the most recent information from the DPA, data collected through GPS or GSM base stations is only lawful if any device used to collect location data has a function allowing the employee to turn the device off outside business hours. Employers may then be able to justify their collection of the location data during business hours as continuous monitoring is considered to be unlawful.
Automated profiling, facial recognition technology and big data
Although the EU Article 29 Working Party has published opinions on automated profiling, facial recognition technology and big data, the DPA has not yet published any guidelines on these matters.
iv Specific regulatory areas
The protection of children
The Privacy Act provides that children over 16 are able to give consent without additional parental approval. Obviously, this facilitates the processing of data relating to younger people. This is in line with the GDPR rules (Article 8 GDPR).
The processing of health data is governed by the provisions of the Act on Medical Care (Act CLIV of 1997) as well as by the Act on Handling and Protecting Medical Data (Act XLVII of 1997). The processing of human genetic data (and research) is governed by the Act on the Protection of Human Genetic Data and the Regulation of Human Genetic Studies, Research and Biobanks.
The Act on Handling and Protecting Medical Data uses a very broad definition of 'health data'. In the Act, health data are defined as:
- any data relating to the data subject's physical, emotional or mental status, pathological addiction, as well as the circumstances associated with disease, death or cause of death that is communicated by the data subject or by any third person in relation to the data subject, or experienced, examined, measured, extracted by or relating to the medical health service; and
- any data in connection with or affecting the health service (including, for instance, any conduct, environment or profession). Since health data are covered by the definition of 'special data' under the Privacy Act, the processing of such personal information is only permitted with the written informed consent of the data subject or if explicitly ordered by the act of legislation.
The Act on Handling and Protecting Medical Data identifies the legal purposes for which health data may be processed.
For any other purposes not covered explicitly by the provisions of the Act, health data and the related personal identification data may only be processed if the patient, or his or her legal or duly authorised representative, granted his or her informed, written consent to the processing.
The Act determines the scope of persons who may lawfully process health data. The Act also regulates the strict secrecy obligations of medical personnel providing medical treatment. Medical institutions must store health records for 30 years and must store final reports for 50 years, after which time the documentation must be destroyed.
Patients have the right to be informed about the handling of their health data. They also have the right to access their health data.
Under the provisions of the Electronic Communications Act of 2003, service providers are generally authorised to process the personal data of end users and subscribers, always to the extent required and necessary:
- for their identification for the purpose of drawing up contracts for electronic communication services (including amendments to such contracts);
- to monitor performance;
- for billing charges and fees; and
- for enforcing any related claims.
Further, the Act provides that the provision of electronic communications services may not be made dependent upon the user's consent for processing his or her personal data; the Act on Electronic Communications defines other purposes for processing personal data.19
Several laws address the protection of personal data in the context of commercial communications. These laws include Act CVIII of 2001 on Electronic Commerce and on Information Society Services (the e-Commerce Act),20 the 1995 Law on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (the Direct Marketing Act), as well as the 2008 Act on the Basic Requirements and Certain Restrictions of Commercial Advertising Activity (the Advertising Act).
In 2001, Hungary enacted the e-Commerce Act, which requires that each commercial email clearly and unambiguously indicates that a commercial message is an electronic advertisement, and that it provides the identity of the electronic advertiser or that of the actual sender.21
The Advertising Act provides that unsolicited marketing material may not be sent to an individual without having obtained the prior, express, specific, voluntary and informed consent of the individual in compliance with the applicable provisions of the Privacy Act.22 The message must contain the email address and other contact details where the individual may request the prohibition of the transmission of electronic advertisements.23 This approach now may be changed by the above cited Recital (47) of the GDPR, however, as of now the situation is rather uncertain in Hungary, especially in absence of the new e-Privacy Regulation of the EU that will clarify the rules for direct marketing and consent.
The advertiser, advertisement service provider and publisher of electronic advertisements are required to keep a register of persons who have given their consent to receiving advertisements.24 The information about these individuals may be disclosed to any third party solely upon the prior consent of the individual. Advertisers may send advertisements through email or equivalent means (e.g., text messages) to those who are listed in the register.
The Direct Marketing Act significantly restricts the use of the name and home address of natural persons for marketing purposes.25 Only a limited number of means may be used to obtain the contact details of natural persons for establishing contact (permission email). These sources include business contacts as well as phone books or statistical name listings, provided that the data subjects were informed at the time of the data gathering, and advised regarding the possibility that the data might be used for purposes other than originally intended, and of their right to prohibit such use.26
IV INTERNATIONAL DATA TRANSFER
The Privacy Act defines the term 'transfer' as making data accessible to a specific third party, namely, where data are passed on, whereas in the sense of the GDPR any transfer of personal data that are undergoing processing or are intended for processing after transfer to a third country or to an international organisation shall take place only if the conditions laid down in the GDPR are complied with by the controller and processor, including for onward transfers of personal data from the third country or an international organisation to another third country or to another international organisation. The Privacy Act defines a 'third party' as any natural or legal person or organisation without legal personality, other than the data subject, the data controller or the technical data processor. It follows therefore that the transfer does not include data transfers between the data subject, the data controller or the data processor.
Data transfers within the Member States of the EEA are treated as a domestic data transfer, while according to the GDPR data transfers are only such transfer that aim at transferees located in non-EEA countries.
The Privacy Act permits the transfer of personal data to a data controller or to a data processor processing personal data in a third country:
- if the data subject explicitly consents to such a transfer;
- in the event of emergency situations or in the vital interest of the data subject or a third person; or
- for the execution of an international agreement on mutual legal assistance if an adequate level of protection of personal data is ensured.
The adequate level of protection can be ensured:
- by a binding legal act of the European Union;
- by an international agreement between the third country and Hungary containing guarantees for the rights of data subjects and for the independent supervision of data control and data processing operations; and
- if the data controlling and data processing procedures comply with binding corporate rules.27
The GDPR has restructured the requirements concerning data transfers. According to the GDPR data transfers to third countries are allowed in the following cases:
- Transfers on the basis of an adequacy decision: This is the case where the European Commission has decided that the third country, a territory or one or more specified sectors within that third country, or the international organisation in question ensures an adequate level of protection.
- Transfers subject to appropriate safeguards: This option incorporates especially binding corporate rules, standard data protection clauses adopted by the Commission or by the DPA (SCCs) or an approved code of conduct.
- There are also derogations for specific situations when none of the above circumstances are given. Such exceptions include when the data subject has explicitly consented to the proposed transfer, after having been informed of the possible risks of such transfers or when the transfer is necessary for the performance of a contract between the data subject and the controller or when the transfer is necessary for the establishment, exercise or defence of legal claims.
For future data transfers the rules of the GDPR are applicable, while the rules of the Privacy Act will remain in force for a rather narrow scope of data processing activities where the GDPR is not applicable.
V COMPANY POLICIES AND PRACTICES
There are no official codes of practice regarding company policies and practices. However, preparing internal privacy policies under Hungarian law is mandatory in some cases, such as for financial institutions, public utility companies or electronic communications service providers, which are all required to introduce internal data protection guidelines, setting out the relevant company's compliance programme in accordance with the provisions of the Act. Nevertheless, it is also common that companies that do not fall under such an obligation – especially multinational companies who process cross-border data flows both within and outside their company group – still introduce internal privacy policies and publish privacy notices. In any case, policies containing information relating to the processing of personal data shall comply – beyond the applicable regulations of the Privacy Act – with the requirements determined by the DPA in its official recommendation of 6 October 2015 regarding privacy notices.
Act I of 2012 on the Labour Code (Labour Code) also lays down the general rules governing workplace privacy.
Under the section 'Protection of Personal Rights', Article 9 of the Labour Code generally articulates that everyone shall respect the personal rights of persons covered by the Act. Employers must provide notice to their employees on the processing of their personal data. Employers may only disclose facts, data and opinions concerning an employee to third persons in those cases specified by law or with the employee's consent.
The Labour Code generally authorises employers to introduce monitoring measures. The Code provides that an employer may monitor the conduct of employees; however, such measures may be taken only in the context of employment, and the means used for monitoring may not violate the human dignity of the worker. In addition, the employer must give notice to the employee in advance of the use of technical means to control or monitor the employee's conduct. As regards a worker's consultation and information, the Labour Code provides that employers must consult with works councils before implementing measures and internal regulations affecting large numbers of employees. That information obligation covers, inter alia, the processing and protection of personal data of employees as well as the use of technical measures used for employee monitoring.
Restricting employee personal rights, however, is legitimate only if it matches the requirements of necessity and proportionality, namely if the restriction is definitely necessary because of a reason arising from the employment relationship and if the restriction is also proportionate for achieving its objective.
i Whistle-blowing system
Regarding the processing of employee data in whistle-blowing systems, Act CLXV of 2013 on Complaints and Public Interest Disclosure lays down the relevant rules.
The Act authorises employers to establish a system to investigate whistle-blowing reports. Conduct that may be reported includes the violation of laws as well as codes of conduct issued by the employer, provided that these rules protect the public interest or significant private interests.
The employer must publicly disclose on its corporate website the rules of conduct the violation of which may be subject to reporting, and a detailed description of the reporting procedure in Hungarian.
The investigation of a report is mandatory for employers, and the reporting person must be informed of the outcome of the investigation and of the measures taken. The identity of the reporting person may not be disclosed without his or her consent. The Act permits the receipt and investigation of anonymous reports; however, the deadline for the investigation of such reports cannot be extended.
According to the Labour Code, employers must consult with works councils before implementing measures and internal regulations affecting large numbers of employees. This would include the implementation of a modified or new whistle-blowing system.
ii Specific provisions relating to credit data
The processing of personal data, business secrets and bank secrets by financial institutions (namely, by credit institutions and financial undertakings), data security requirements as well as data processing within the framework of the Central Credit Information System are regulated by Act CCXXXVII of 2013 on Credit Institutions and Financial Undertakings (the Banking Act).
Under the provisions of the Banking Act, credit institutions are authorised to outsource the activities connected to financial services and activities auxiliary to financial services, as well as those statutory activities prescribed by law that involve the processing of data, provided that outsourcing complies with data protection provisions. Accordingly, the outsourcing service provider must satisfy – to a degree corresponding to the risk – the personnel, infrastructure and security requirements concerning the outsourced activities that are prescribed by law for credit institutions. The Banking Act also lays down mandatory provisions for the outsourcing contract.
iii Genetic data
The processing of human genetic data is governed by Act XXI of 2008 on the Protection of Human Genetic Data and the Regulation of Human Genetic Studies, Research and Biobanks, which entered into effect on 1 July 2008. The general rules of the Act lay down that human genetic data may only be used either for the purpose of human genetic research or for medical examination. The Act guarantees the data subject's right of information self-determination in connection with human genetic data, as it requires the written informed consent of the data subject for such data processing. Now also the GDPR deals with genetic data and provides the following definition: personal data relating to the inherited or acquired genetic characteristics of a natural person that result from the analysis of a biological sample from the natural person in question, in particular chromosomal, deoxyribonucleic acid (DNA) or ribonucleic acid (RNA) analysis, or from the analysis of another element enabling equivalent information to be obtained.
Genetic data is classified as a special category of personal data.
iv Data protection officer
The Privacy Act provides that selected data controllers, such as public administrative bodies, financial organisations, public utilities companies and communications companies, that customarily process huge amounts of personal data are obliged to appoint an internal data protection officer, working under the direct control and supervision of the respective data controllers' general manager. Among the data protection officer's various tasks, he or she is specifically responsible for:
- contributing to or assisting in decision-making related to data processing and to the enforcement of the rights of data subjects;
- monitoring compliance with the Privacy Act and other rules of law on data processing, as well as with the provisions of internal data protection and data security rules and requirements;
- investigating reports submitted to him or her; and
- providing the data controller or technical data processor with information relating to the detection of any unlawful data processing activities.
According to the GDPR the controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations which, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks, which are:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance;
- to cooperate with the supervisory authority; and
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Pursuant to the data breach rules of the GDPR and of the Privacy Act, the DPO shall manage the data security incident register, which contains records of incidents and shall notify the DPA or the data subjects in some cases.
VI DISCOVERY AND DISCLOSURE
i Enforcement agencies
The DPA plays a key role in the enforcement of the protections of the GDPR and of the Privacy Act. The DPA has been appointed to act as a supervisory authority in the sense of the GDPR, therefore no separate agency has been created in Hungary for this purpose. The DPA is responsible both for the supervision and enforcement of compliance with the GDPR and the Privacy Act and other data protection and data processing laws as well as freedom of information laws in Hungary. Hungarian data protection and privacy laws are enforced by the DPA and the Hungarian courts. No other organisations have an official role in data protection regulation.
The DPA monitors the conditions of the protection of personal data and investigates complaints. Representatives of the DPA may enter any premises where data are processed. If they observe any unlawful data processing, they have the authority to make the data controller discontinue the processing. The administrative procedure of the DPA is governed by the General Provisions of the Act on Administrative Procedure and, in the event of breach of the material provisions of the Act, the DPA is empowered to:
- request that an entity cease and desist from infringing the law;
- order the blocking, deletion or destruction of unlawfully processed data;
- prohibit the unlawful processing;
- suspend the transfer of data to foreign countries; and
- impose a fine of up to €20 million.
The GDPR appoints supervisory authorities to:
- monitor and enforce the application of the GDPR;
- promote public awareness and understanding of the risks, rules, safeguards and rights in relation to processing. Activities addressed specifically to children shall receive specific attention;
- advise, in accordance with Member State law, the national parliament, the government, and other institutions and bodies on legislative and administrative measures relating to the protection of natural persons' rights and freedoms with regard to processing;
- promote the awareness of controllers and processors of their obligations under the GDPR;
- upon request, provide information to any data subject concerning the exercise of their rights under the GDPR and, if appropriate, cooperate with the supervisory authorities in other Member States to that end;
- handle complaints lodged by a data subject, or by a body, organisation or association, and investigate, to the extent appropriate, the subject matter of the complaint and inform the complainant of the progress and the outcome of the investigation within a reasonable period, in particular if further investigation or coordination with another supervisory authority is necessary;
- cooperate with, including sharing information and provide mutual assistance to, other supervisory authorities with a view to ensuring the consistency of application and enforcement of the GDPR;
- conduct investigations on the application of the GDPR, including on the basis of information received from another supervisory authority or other public authority;
- monitor relevant developments, insofar as they have an impact on the protection of personal data, in particular the development of information and communication technologies and commercial practices;
- adopt standard contractual clauses;
- establish and maintain a list in relation to the requirement for data protection impact assessment;
- encourage the drawing up of codes of conduct and provide an opinion and approve such codes of conduct which provide sufficient safeguards;
- encourage the establishment of data protection certification mechanisms and of data protection seals and marks and approve the criteria of certification;
- where applicable, carry out a periodic review of certifications;
- conduct the accreditation of a body for monitoring codes of conduct;
- authorise contractual clauses and provisions;
- approve binding corporate rules; and
- keep internal records of infringements of the GDPR and of measures taken.
Under the GDPR and the Act, the data controller, data processor and data subject are all entitled to appeal to the court to contest an order of the DPA. Pending a final and binding decision of the court, the data concerned must not be erased or destroyed, but processing of the data must be suspended and the data blocked. Moreover, the general rights of appeal under the Civil Procedure Act will still apply.
The DPA may initiate criminal proceedings with the body authorised to launch such proceedings if it suspects that an offence has been committed during the course of the procedure. The DPA shall initiate infringement or disciplinary proceedings with the body authorised to launch such proceedings if it suspects that an infringement or disciplinary violation has been committed during the course of the procedure.
The Privacy Act has established the Conference of Internal Data Protection Officers, which is headed by the president of the DPA and secures the information exchange between data protection officers.
ii Recent enforcement cases
The DPA's action plan is aimed at online stores and their data processing activities. Short summaries of some recent cases are below.
In one case,28 the DPA investigated the legitimacy of the cross-border data transfer practices of a company established in France. The company had implemented binding corporate rules (BCRs) to legitimise data transfers within the company group across the globe and subsequently filed these BCRs with the French Data Protection Authority (CNIL) for validation. Upon receiving CNIL approval, the company was listed on the relevant European Commission website as an entity using BCRs. The Hungarian DPA, however, detected ex officio that although the company had also requested approval for Hungary, it had failed to submit its BCRs to the local DPA for approval. Under the Privacy Act, BCRs may only be used as an adequate safeguard for international data transfers upon approval by the local DPA. The DPA established that, in the absence of local approval for the BCRs, the data transfers of the company had been unlawful and – without imposing any penalties – ordered the company to submit its BCRs to the Hungarian DPA without further delay.
In another case,29 the DPA investigated the data processing activities of a medium-sized company active in the consumer credit business. The DPA established that the company's data-processing practices had been unlawful as the company had violated the principles of data minimisation and purpose limitation (by collecting and retaining copies of customer identification documents), had violated its obligations the concerning preliminary notification of customers (by not informing customers on all aspects of the data processing) and had also processed customer personal data without a proper legal basis. Consequently, the DPA imposed a data protection fine amounting to 1 million forints.
Recently the DPA has rather focused on the enquiries of data controllers, data processors and data subjects concerning the implementation of the GDPR. Concerning these enquiries the DPA issues guidelines that are published on their website. Please find below some guidelines that can be considered as important or of general concern, albeit the DPA always emphasises that these guidelines are not enforceable and not binding:
Conciliation panels (e.g., panels mediating consumer protection cases) qualify as public authorities, therefore the rules of GDPR concerning public authorities shall be applied to these panels as well, including the obligation for the appointment of data protection officer.
Data protection registries may be kept in English language but in the case of a monitoring procedure by the supervisory authority it is the data controller's duty to provide the Authority with adequate Hungarian translation.
iii Private litigation
In the event of infringement of his or her rights, a data subject may file a court action against a data controller. In the court proceeding, the data controller bears the burden of proving that the data processing was in compliance with the data protection laws.
In the event of harm to personal rights caused to the data subject in connection with data processing or breach of data security requirements, the data subject may plead before the courts for the controller to cease and desist from infringement, for satisfaction, as well as for the perpetrator to hand over financial gains made from the infringement. Moreover, since 15 March 2014, the data subject may also claim exemplary damages – namely lump sum damages that can be awarded by the court for the compensation of the harm by the data controller as a result of unlawful data processing or breach of data security requirements. Regarding the claim for exemplary damages, the data subject as a claimant does not need to evidence the harm beyond the breach of data protection laws.
Penalties imposed by the DPA are made public via its website.30 The DPA has imposed penalties three times between 25 August and 31 December 2016, and seven times in 2017 up to 1 September, while in 2018 fines have been imposed four times. The former maximum penalty of 20 million forints has not been imposed since September 2015; neither has the minimum amount of 100,000 forints. The amounts of imposed data protection fines since August 2016 have ranged from 300,000 to 15 million forints. Since the introduction of the new GDPR rules, the upper limits of the fines have seen an significant increase but no official actions have been completed since 25 May, therefore, it is yet to be seen how vigorous the fining practice of the DPA will be with the new rules.
VII PUBLIC AND PRIVATE ENFORCEMENT
The scope of the Hungarian Privacy Act and of the GDPR cover all kinds of data controlling and processing regarding the data of private persons, data of public interest or data that is public because of the public interest. The Hungarian Privacy Act is also applied if a data controller handling personal data is located outside the European Union and it commissions a data controller with a seat, business establishment, branch office, domicile or place of residence in Hungary, or uses a device located in Hungary, except when this device serves only to transit data traffic in the area of the European Union. If the Privacy Act applies, a data controller shall appoint a representative for the territory of Hungary.
The forwarding of personal data by an employer to a data processor located outside Hungary is not forbidden; however, it is subject to prior notification of the employee.
The new rules of the GDPR apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or (ii) the monitoring of their behaviour as far as their behaviour takes place within the Union.
This regulation creates a very wide territorial scope for the GDPR and for the supervisory authority enforcing the GDPR rules. However, it remains uncertain how supervisory authorities will have the resources to initiate investigations against foreign organisations.
VIII CYBERSECURITY AND DATA BREACHES
Hungary is a member of the Council of Europe's Convention on Cybercrime, which was signed in 2001 in Budapest. A government decision was issued recently in which the basics of the National Cybersecurity Strategy of Hungary were laid down. In connection with this legal development, a series of other laws has been announced covering areas such as the electronic information security of the state and local governments, and the responsibilities of the National Electronic Information Security Authority and the National Cybersecurity Coordination Council. Critical systems and facilities have also been identified, and their special protection has been ordered by law.
In Hungary, the obligation to make reports in line with the European Union Agency for Network and Information Security guidelines only extends to the organs of public administration. However, private persons can also contact the Government Incident Response Team by email or telephone. A new Cybersecurity Strategy and Action Plan is planned to be created this year to clarify the tasks and scopes of responsibility of the state actors.
The EU General Data Protection Regulation has brought significant changes to the Hungarian data protection and privacy regime with effect from 25 May 2018 but taking into consideration the short period of time since its applicability, it is hard to assess its actual short and long-term effects.
1 Tamás Gödölle is a partner at Bogsch & Partners Law Firm.
2 The translation of the consolidated version of the Fundamental Law of Hungary is available at www.kormany.hu/download/e/02/00000/The%20New%20Fundamental%20Law%20of%20Hungary.pdf.
3 Available in Hungarian at: http://naih.hu/felkeszueles-az-adatvedelmi-rendelet-alkalmazasara.html.
4 Available in English at: http://naih.hu/files/NAIH_ANNUAL_REPORT_2016_EN.pdf.
5 The text of the Law is available at http://net.jogtar.hu/jr/gen/hjegy_doc.cgi?docid=A1100112.TV and in English at www.naih.hu/files/Act-CXII-of-2011_EN_23June2016.pdf.
6 ibid., Article 3(3).
7 ibid., Article 3(5).
8 ibid., Article 10(2), as amended, effective as of 1 July 2013.
10 Direct Marketing Act, Section 5.
11 Available in Hungarian at http://naih.hu/files/tajekoztato-ajanlas-v-2015-10-09.pdf.
12 Implemented in 2015. Applicable from 1 October 2015.
13 Implemented in 2015. Applicable from 1 October 2015.
14 Data Protection Law, Article 17(2).
15 Labour Code, Article 11.
16 The guidance is available in Hungarian at http://naih.hu/files/Ajanlas-a-munkahelyi-kameras-megfigyelesr-l.pdf.
17 The guideline is available in Hungarian at: http://naih.hu/files/2016_11_15_Tajekoztato_munkahelyi_adatkezelesek.pdf.
19 Act on Electronic Communications, Article 154(6).
20 The e-Commerce Act is available in Hungarian at http://net.jogtar.hu/jr/gen/hjegy_doc.cgi?docid=a0100108.tv.
21 e-Commerce Act, Article 14/A.
22 ibid., Article 14(2).
23 ibid., Article 14(3).
24 ibid., Article 14(5).
25 Direct Marketing Act, Section 5.
26 ibid., Section 3(1)(b).
27 Implemented in 2015. Applicable from 1 October 2015.