The Privacy, Data Protection and Cybersecurity Law Review: Hungary
The introduction of the European General Data Protection Regulation (GDPR) caused quite a change in Hungary's single legislative privacy regime a few years ago. The general rules of the protection of personal data and freedom of information from 25 May 2018 are contained in the GDPR and Act CXII of 2011 on Informational Self-Determination and Freedom of Information (the Privacy Act) is secondary to the general rules that are to be applied throughout the European Union. As of 17 July 2018, the bill for the amendment of the Privacy Act, for the sake of GDPR compliance, was adopted by the Hungarian parliament and was effective as of 25 August 2018.
Furthermore, the Hungarian Data Protection Authority (DPA) has been appointed to act as a supervisory authority under the GDPR. The GDPR and the Privacy Act should be considered as the general legislation providing rules regarding the protection of personal data and the disclosure of public data. Beyond this scope, there are other sectoral acts (e.g., the Labour Code, Electronic Communications Act, etc.) that provide additional data protection-related provisions. The processing of medical, criminal, electoral and citizenship data is regulated by other acts. To be compliant with the GDPR, more than 80 sectoral acts were amended by the Hungarian parliament as of 1 April 2019, effective as of 26 April 2019. The omnibus act contained fundamental amendments to the handling of personal data in the field of labour law, security services and activities of private investigators, trade and direct marketing.
In Hungarian data privacy regulation, the role of NGOs and self-regulatory industry groups, as well as society or advocacy groups, is marginal, and there are no specific Hungarian laws providing for government surveillance powers.
The government approved the National Cybersecurity Strategy, which determines the national objectives and strategic directions, tasks and comprehensive government tools to enable Hungary to enforce its national interests in Hungarian cyberspace, within the context of the global cyberspace.
The year in review
The year 2020 has mostly been about the further interpretation of the GDPR stipulations within the framework of the Hungarian legislation by the Hungarian DPA, and also about the special legal order established because of the covid-19 outbreak.
The Hungarian DPA has already started to impose fines on corporations that explicitly breach the stipulations of the GDPR. One of the most notable in 2020 was the fine of DIGI, a Hungarian telecommunication service provider (see Section VI.ii).
Furthermore, the Hungarian DPA has also issued a guideline related to lawfulness of data processing, namely the processing of health-related personal data of employees and contractual partners.2 In this guideline, the DPA determined that the health data of data subjects can only be processed by authorities or by healthcare professionals; therefore, temperature checks can only be executed if at least a healthcare professional is present and is responsible for the respective temperature check. However, the data processors have the right to ask the data subjects whether they have contacted any person with covid-19 or whether they have been abroad in the past 14 days. Nevertheless, this personal data can only be requested from data subjects if the data processor can prove the legitimate need for it.
i Privacy and data protection legislation and standards
The GDPR and the Privacy Act regulate the protection of personal data in Hungary. The GDPR, in force since 25 May 2018, and the Act, which was enacted in 2011 and entered into force on 1 January 2012,3 purport to guarantee the right of everyone to exercise control over his or her personal data and to have access to data of public interest.
There are two categories of protected information: 'personal data' and 'sensitive data'. There is also a third category of data named 'data of public interest'; this is beyond the scope of the GDPR but the Privacy Act contains regulations for this category of data, as well.
The GDPR and the Privacy Act apply to all data processing and technical data processing that is carried out in Hungary or that aims at Hungarian data subjects, and that pertains to the data of physical persons. The GDPR and the Privacy Act regulate the processing of data carried out wholly or partially by automatic means, and the manual processing of data.
Personal data are defined in Article 3.2 of the Privacy Act as any information relating to a data subject. For the purposes of the GDPR, the term personal data is very similar: 'personal data' means any information relating to an identified or identifiable natural person ('data subject'); the term identifiable natural person was also incorporated in the Privacy Act, which refers to a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The former term 'special data' of the Privacy Act was replaced by the term 'sensitive data', which is defined as information on a data subject's racial and national origin, political opinion or party affiliation, religious or ideological beliefs, or membership of any special interest organisations, as well as his or her state of health, pathological addictions, sex life or criminal personal data, a definition that was made GDPR-compliant in the same way that the definition of personal data was.4
The GDPR defined 'controller' as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. The definition of data controller in the Privacy Act was also made GDPR compliant.
The Act identifies a 'data processor' as any natural or legal person or organisation without legal personality that is engaged in processing operations within the framework of and under the conditions set out by law or binding legislation of the European Union, acting on the controller's behalf or following the controller's instructions. Under the GDPR, 'processor' means a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Data protection audits
With effect from 1 January 2013, the DPA provides data protection audits as a service to data controllers who request it. The DPA may charge an administrative fee for the audit that cannot exceed 5 million forints. The relevant aspects of DPA audits have been published on the DPA's website.5
Protection of consumers
The Direct Marketing Act identifies numerous obligations for marketing organisations to ensure the protection of consumers, and particularly restricts the use of the name and home address of natural persons for marketing purposes.6 Notably, the provisions of the Direct Marketing Act are only applicable where the marketing materials are sent by post. Marketing materials sent by electronic means are regulated by the Advertising Act and the e-Commerce Act. In this regard the GDPR brings some novelties as Recital (47) contains that the processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest and this implies that no consent is required as a legal basis for such data processing, which means a significant change from the previous Hungarian approach. The omnibus act of April 2019 brought about significant changes in the field of direct marketing: the regulations in the Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing7 has changed so that previously collected data of customers can only be used if the legal interest is proved, which can be, for example, the measurement of client satisfaction.
ii General obligations for data handlers
According to the GDPR, processing shall be lawful only if and to the extent that at least one of the following applies:
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which the controller is subject;
- processing is necessary in order to protect the vital interests of the data subject or of another natural person;
- processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject that require protection of personal data, in particular where the data subject is a child.
Before collecting information from an individual, the controller must indicate to the data subject whether data processing is based on consent or relies on any other legal ground. In addition, the data controller must provide the data subject with unambiguous and detailed information on all the facts relating to the processing of his or her data in line with Article 13/14 GDPR.
Requirements of preliminary notices
Data controllers must provide data subjects with unambiguous and adequately detailed information on the circumstances of the processing of his or her personal data. On 9 October 2015, the DPA issued an official recommendation8 regarding the minimum requirements for preliminary notices provided to data subjects prior to the commencement of the processing of their personal data. While these recommendations are generally considered soft law, in the event of an investigation, the DPA will check whether the data controller meets these requirements. This recommendation continues to be in force as it is compliant with the GDPR text.
For the purposes of preliminary notices Articles 13 and 14 of the GDPR shall also be taken into consideration.
Data security incident register9
According to Article 15(1a) of the Privacy Act, for subsequent countermeasure examinations by the DPA and for data subject notification purposes, the data controller shall keep a record of all data regarding data security incidents.
Additionally, GDPR introduced a new regime for notifying data breaches to the DPA and in certain cases to the data subjects.
When the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the personal data breach to the data subject without undue delay.
Database registration requirements
Under the new GDPR rules, the DPA does not keep a registry of data processing activities.
Rights of data subjects
Articles 15–21 GDPR contain the rights of the data subjects, such as the right of access by the data subject, the rights of rectification and erasure (the right to be forgotten), restriction of processing, the right to data portability and the right to object. Data subjects may request information on the processing of their personal data, such as which data are processed by the data controller or its data processors; about the purpose of the processing, its legal basis, its duration and the name, address and activity of the data processor; and, should there be one, on the circumstances of any data protection incident.10 They also have the right to know who has received or will receive their data, and for what purpose. The data controller must give this information within a month and in an easily understandable manner. Data controllers must provide this information in written form if this is requested by the data subject.
The GDPR and the Privacy Act requires data controllers to rectify any inaccurate personal data. In addition, it provides for the deletion of personal data if the processing is unlawful, if this has been requested by the data subject, or if this has been ordered by a court or the DPA.11 A data controller must delete data that is incomplete or inaccurate and cannot be corrected in a lawful way, unless the deletion is prohibited by another law. It must also destroy data when the purpose of processing has ceased to exist, or when the time limit for the storage of the data has expired.
iii Technological innovation and privacy law
More detailed regulatory frameworks apply to several data privacy issues.
The Labour Code generally authorises employers to introduce monitoring measures.12 It allows employers to monitor the conduct of employees; however, such measures may be taken only in the context of employment. Further, the means used for monitoring may not violate the human dignity of the worker. To exclude all possibility of doubt, the Labour Code also states that the private life of the employee cannot be monitored, which is in conformity with the practice of the European Court of Human Rights. In addition, the employer must give notice to employees, in advance, of the use of technical means serving to control or monitor employees' conduct.
The previously mentioned omnibus act also brought about changes in the field of labour law. The employer is obliged to prove to the employee the necessity, proportionality and the purpose limitation of data handling with prior written notice. Furthermore, the employee shall only present the official documents (e.g., ID card) necessary for the employment relationship, but the employer is not entitled to make photocopies. The three working days', 30 or 60 days' maximum storage periods for camera recordings were also abolished, therefore the employer has the right to set the storage period for the recordings within the framework of GDPR norms such as data minimisation. Furthermore, the employer also has the right to process the biometric data of the employees (e.g., for entry purposes) if it is supported by a data protection impact assessment in which the pecuniary interest of the employer is clearly identified.
Restriction on cookies
In November 2009, the European Commission adopted Directive 2009/136/EC (2009 Directive), and this amendment was to be implemented in the laws of each of the European Union Member States by 25 May 2011.
Article 3(5) of the 2009 Directive was implemented in Hungary by Section 155(4) of the Hungarian Act on Electronic Communications, which generally provides that data may be stored or accessed on the terminal equipment of the subject end user or subscriber after the provision of clear and comprehensive information, including the purpose of the data processing, if the corresponding consent of the end user or subscriber has been granted.
The HDPA issued a guideline13 related to cookies, in which the personal data related to essential cookies, which are necessary for the operation of the website, can be processed on the legal ground of legitimate interest. Personal data related to other types of cookies (such as analytic or marketing cookies) can only be processed through the consent of the data subject.
Cloud Computing Circular released by the HFSA
The Hungarian Financial Supervisory Authority (HFSA) – which merged with the Central Bank of Hungary on 1 October 2013 – released an executive circular (4/2012)14 on the risks of public and community cloud services used by financial institutions, namely banks, insurance companies and financial service providers in Hungary.
The HFSA advises financial institutions to take into account, in a proportionate manner, the risks of outsourcing, and to choose a provider and the technical means of outsourcing accordingly. The HFSA announced that it would examine the legal compliance of the technical and contractual implementation of the use of cloud services in on-site audits.
Location tracking in relation to employment
According to the most recent information from the DPA, data collected through GPS or GSM base stations is only lawful if any device used to collect location data has a function allowing the employee to turn the device off outside business hours. Employers may then be able to justify their collection of the location data during business hours as continuous monitoring is considered to be unlawful.
Automated profiling, facial recognition technology and big data
Although the EU Article 29 Working Party has published opinions on automated profiling, facial recognition technology and big data, the DPA has not yet published any guidelines on these matters.
iv Specific regulatory areas
The protection of children
The Privacy Act provides that children over 16 are able to give consent without additional parental approval. Obviously, this facilitates the processing of data relating to younger people. This is in line with the GDPR rules (Article 8 GDPR).
The processing of health data is governed by the provisions of the Act on Medical Care (Act CLIV of 1997) as well as by the Act on Handling and Protecting Medical Data (Act XLVII of 1997). The processing of human genetic data (and research) is governed by the Act on the Protection of Human Genetic Data and the Regulation of Human Genetic Studies, Research and Biobanks.
The Act on Handling and Protecting Medical Data identifies the legal purposes for which health data may be processed.
The Act determines the scope of persons who may lawfully process health data. The Act also regulates the strict secrecy obligations of medical personnel providing medical treatment. Medical institutions must store health records for 30 years and must store final reports for 50 years, after which time the documentation must be destroyed.
Patients have the right to be informed about the handling of their health data. They also have the right to access their health data.
Under the provisions of the Electronic Communications Act of 2003, service providers are generally authorised to process the personal data of end users and subscribers, always to the extent required and necessary:
- for their identification for the purpose of drawing up contracts for electronic communication services (including amendments to such contracts);
- to monitor performance;
- for billing charges and fees; and
- for enforcing any related claims.
Several laws address the protection of personal data in the context of commercial communications. These laws include Act CVIII of 2001 on Electronic Commerce and on Information Society Services (the e-Commerce Act),15 the 1995 Law on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (the Direct Marketing Act), as well as the 2008 Act on the Basic Requirements and Certain Restrictions of Commercial Advertising Activity (the Advertising Act).
In 2001, Hungary enacted the e-Commerce Act, which requires that each commercial email clearly and unambiguously indicates that a commercial message is an electronic advertisement, and that it provides the identity of the electronic advertiser or that of the actual sender.16
The Advertising Act provides that unsolicited marketing material may not be sent to an individual without having obtained the prior, express, specific, voluntary and informed consent of the individual in compliance with the applicable provisions of the Privacy Act.17 The message must contain the email address and other contact details where the individual may request the prohibition of the transmission of electronic advertisements.18 This approach now may be changed by the above cited Recital (47) of the GDPR, however, as of now the situation is rather uncertain in Hungary, especially in absence of the new ePrivacy Regulation of the EU that will clarify the rules for direct marketing and consent.
Company policies and practices
There are no official codes of practice regarding company policies and practices. However, preparing internal privacy policies under Hungarian law is mandatory in some cases, such as for financial institutions, public utility companies or electronic communications service providers, which are all required to introduce internal data protection guidelines, setting out the relevant company's compliance programme in accordance with the provisions of the Act. Nevertheless, it is also common that companies that do not fall under such an obligation – especially multinational companies who process cross-border data flows both within and outside their company group – still introduce internal privacy policies and publish privacy notices.
Act I of 2012 on the Labour Code (the Labour Code) also lays down the general rules governing workplace privacy.
Under the section 'Protection of Personal Rights', Article 9 of the Labour Code generally articulates that everyone shall respect the personal rights of persons covered by the Act. Employers must provide notice to their employees on the processing of their personal data. The Labour Code generally authorises employers to introduce monitoring measures. The Code provides that an employer may monitor the conduct of employees; however, such measures may be taken only in the context of employment, and the means used for monitoring may not violate the human dignity of the worker. Restricting employee personal rights, however, is legitimate only if it matches the requirements of necessity and proportionality, namely if the restriction is definitely necessary because of a reason arising from the employment relationship and if the restriction is also proportionate for achieving its objective.
i Whistle-blowing system
Regarding the processing of employee data in whistle-blowing systems, Act CLXV of 2013 on Complaints and Public Interest Disclosure lays down the relevant rules.
The Act authorises employers to establish a system to investigate whistle-blowing reports. Conduct that may be reported includes the violation of laws as well as codes of conduct issued by the employer, provided that these rules protect the public interest or significant private interests.
ii Genetic data
The processing of human genetic data is governed by Act XXI of 2008 on the Protection of Human Genetic Data and the Regulation of Human Genetic Studies, Research and Biobanks, which entered into effect on 1 July 2008. The general rules of the Act lay down that human genetic data may only be used either for the purpose of human genetic research or for medical examination. The Act guarantees the data subject's right of information self-determination in connection with human genetic data, as it requires the written informed consent of the data subject for such data processing.
iii Data protection officer
According to the GDPR the controller and the processor shall designate a data protection officer in any case where:
- the processing is carried out by a public authority or body, except for courts acting in their judicial capacity;
- the core activities of the controller or the processor consist of processing operations that, by virtue of their nature, their scope or their purposes, require regular and systematic monitoring of data subjects on a large scale; or
- the core activities of the controller or the processor consist of processing on a large scale of special categories of data and personal data relating to criminal convictions and offences.
The data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil his or her tasks, which are:
- to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;
- to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
- to provide advice where requested as regards the data protection impact assessment and monitor its performance;
- to cooperate with the supervisory authority; and
- to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.
Pursuant to the data breach rules of the GDPR and of the Privacy Act, the DPO shall manage the data security incident register, which contains records of incidents and shall notify the DPA or the data subjects in some cases.
Discovery and disclosure
i Enforcement agencies
The DPA monitors the conditions of the protection of personal data and investigates complaints. Representatives of the DPA may enter any premises where data are processed. If they observe any unlawful data processing, they have the authority to make the data controller discontinue the processing. The administrative procedure of the DPA is governed by the General Provisions of the Act on Administrative Procedure and, in the event of breach of the material provisions of the Act, the DPA is empowered to:
- request that an entity cease and desist from infringing the law;
- order the blocking, deletion or destruction of unlawfully processed data;
- prohibit the unlawful processing;
- suspend the transfer of data to foreign countries; and
- impose a fine of up to €20 million.
Under the GDPR and the Privacy Act, the data controller, data processor and data subject are all entitled to appeal to the court to contest an order of the DPA. Pending a final and binding decision of the court, the data concerned must not be erased or destroyed, but processing of the data must be suspended and the data blocked. Moreover, the general rights of appeal under the Civil Procedure Act will still apply.
The DPA may initiate criminal proceedings with the body authorised to launch such proceedings if it suspects that an offence has been committed during the course of the procedure. The DPA shall initiate infringement or disciplinary proceedings with the body authorised to launch such proceedings if it suspects that an infringement or disciplinary violation has been committed during the course of the procedure.
ii Recent enforcement cases
Regarding the higher limit for imposing penalties, the DPA has already issued a penalty of 30 million forints. The penalty was issued to the organisers of Sziget, a well-known Hungarian music festival, and was imposed for the handling of participants' data without any prior notice or consent and the unnecessarily long period of time of data processing. Furthermore, the participants did not receive any information about their rights if they were not satisfied with the data handling policy of the organisers.
In 2020, DIGI, a Hungarian telecommunication service provider, received a penalty of 100 million forints.19 The HDPA imposed the fine based on the fact that the website of DIGI was not secure enough, therefore, personal data of subscribers could easily be accessed. This was discovered by an ethical hacker, who reported the potential data leakage to DIGI, who had already known about it for more than nine years. After the activity of the ethical hacker, a data leakage occurred. DIGI reported the data leakage to the HDPA within 72 hours. The HDPA's investigation described the data processing of DIGI as unlawful, since DIGI did not execute the proportional data security measurements that are required of a company processing such a high amount of personal data. Furthermore, DIGI also failed to prove that any data security tests were conducted throughout its operation.
iii Private litigation
In the event of infringement of his or her rights, a data subject may file a court action against a data controller. In the court proceeding, the data controller bears the burden of proving that the data processing was in compliance with the data protection laws.
In the event of harm to personal rights caused to the data subject in connection with data processing or breach of data security requirements, the data subject may plead before the courts for the controller to cease and desist from infringement, for satisfaction, as well as for the perpetrator to hand over financial gains made from the infringement.
Penalties imposed by the DPA are made public via its website.20 Since the introduction of the new GDPR rules, the upper limits of the fines have seen a significant increase, and in 2019 the highest penalty imposed was 30 million forints.
Public and private enforcement
The scope of the Hungarian Privacy Act and of the GDPR cover all kinds of data controlling and processing regarding the data of private persons, data of public interest or data that is public because of the public interest.
The forwarding of personal data by an employer to a data processor located outside Hungary is not forbidden; however, it is subject to prior notification of the employee.
The new rules of the GDPR apply to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not. The GDPR applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to (1) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or (2) the monitoring of their behaviour as far as their behaviour takes place within the Union.
Cybersecurity and data breaches
Hungary is a member of the Council of Europe's Convention on Cybercrime, which was signed in 2001 in Budapest. A government decision was issued recently in which the basics of the National Cybersecurity Strategy of Hungary were laid down. In connection with this legal development, a series of other laws has been announced covering areas such as the electronic information security of the state and local governments, and the responsibilities of the National Electronic Information Security Authority and the National Cybersecurity Coordination Council. Critical systems and facilities have also been identified, and their special protection has been ordered by law.
The EU General Data Protection Regulation has brought significant changes to the Hungarian data protection and privacy regime with effect from 25 May 2018 but taking into consideration the short period of time since its applicability, it is hard to assess its actual short and long-term effects.
1 Tamás Gödölle is a partner and Márk Pécsvárady is a junior associate at Bogsch & Partners Law Firm.
3 The text of the Law is available at http://net.jogtar.hu/jr/gen/hjegy_doc.cgi?docid=A1100112.TV and in English at www.naih.hu/files/Act-CXII-of-2011_EN_23June2016.pdf.
4 ibid., Article 3(3).
6 Direct Marketing Act, Section 5.
7 Available in Hungarian at: https://net.jogtar.hu/jogszabaly?docid=99500119.TV.
8 Available in Hungarian at http://naih.hu/files/tajekoztato-ajanlas-v-2015-10-09.pdf.
9 Implemented in 2015. Applicable from 1 October 2015.
10 Implemented in 2015. Applicable from 1 October 2015.
11 Data Protection Law, Article 17(2).
12 Labour Code, Article 11.
15 The e-Commerce Act is available in Hungarian at http://net.jogtar.hu/jr/gen/hjegy_doc.cgi?docid=a0100108.tv.
16 e-Commerce Act, Article 14/A.
17 ibid., Article 14(2).
18 ibid., Article 14(3).