Data Law Nav­ig­at­or | Hun­gary

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 10 October 2018

Risk scale

Laws

  • Act CXII of 2011 on the Right of Self-Determination in Respect of Information and the Freedom of Information (Info Act) – general rules on personal data processing.
  • Act C of 2003 on Electronic Communications, as amended, of the Republic of Hungary (E-Communications Act) – implementing the EU E-Privacy Directive
  • NMHH Decree No. 4/2012. (I. 24.) on the Special Conditions of Data Processing by Electronic Communications Service Providers, the Data Security of Electronic Communications Services, and the Rules of Identifier Presentation and Call Diversion – implementing the EU E-Privacy Directive
  • Act XLVII of 1997 on Processing and Protection of Medical and Other Related Personal Data (Medical Data Act)
  • Act CXIX of 1995 on the Use of Name and Address Information Serving the Purposes of Research and Direct Marketing (Hungarian Direct Marketing Act)
  • Act XXI of 2008 on the Protection of Human Genetic Data (Human Genetic Info Act)
  • Act CCXXXVII of 2013 on Credit Institutions and Financial Enterprises
  • Act CXX of 2001 on Capital Markets
  • Act LXXXVIII of 2014 on Insurance Institutions and the Insurance Business
  • Act LXVI of 1992 on Personal Data and Address Records of Citizens
  • Act I of 2012 on the Labour Code
  • Act XLVIII of 2008 on Advertising

Authority

Hungarian Authority for Data Protection and Freedom of Information (NAIH – Nemzeti Adatvédelmi és Információszabadság Hatóság): www.naih.hu/ 

Guideline for the post-GDPR era: NAIH issued an information notice on the relationship between the GDPR and the local Hungarian data protection legislation (the Info Act and sectoral Hungarian laws with data protection provisions). The purpose of the information notice is to clarify the situations where local laws regulate a data protection issue differently than the GDPR until those laws are fully harmonised with the GDPR.

NAIH’s main statements are as follows:

  • The GPDR may permit the passing of local data protection legislation in certain areas. For example, local laws may lay down rules on data processing to comply with a legal obligation, data processing for journalistic purposes, data processing in the context of employment, data processing and public access to official documents, etc. The existing local rules on these topics shall be applicable within the framework of the GDPR.
  • Certain Hungarian laws remain necessary to enforce the GDPR. For example, local laws shall lay down procedural rules for the operation of NAIH. The existing local rules shall be applicable in accordance with the GDPR.
  • The provisions of the Info Act and the applicable sectoral Hungarian data protection provisions shall apply to any other areas not regulated by the GDPR.

Anticipated changes to law

Sector-specific issues: There are several sector-specific laws with data protection provisions, which require amendment to ensure harmonisation with the GDPR. In January 2018, a group of data protection professionals reviewed the most relevant laws and proposed amendments to the Ministry of Justice for their consideration. The competent ministries reviewed the suggested amendments and prepared their own legislative proposals on the basis of them. The amendment of a great number of laws including data processing provisions are still underway and are expected to be finalised by the end of 2018. The most important laws concern employment-related data processing, whistleblowing, healthcare operations, financial sector operations (banks, insurance, investment services), as well as advertising. The draft omnibus law is issued for public consultation on 27 September 2018. Organisations could send their comments to the legislator until 5 October 2018.

If applicable: stage of legislative implementation of GDPR

Short and administrative amendment to the Info Act.

On 20 June 2018, the Hungarian Parliament accepted a short and administrative amendment to the Info Act. The amendment will enter into force once the president of the Parliament officially signs it in the following days.

The amendment has two important provisions:

  • The amendment officially appoints the existing Hungarian Data Protection Authority (in Hungarian: “Nemzeti Adatvédelmi és Információszabadság Hatóság”, abbreviated: “NAIH”) as the supervisory authority under the GDPR.
  • The amendment specifies that in case of breaches of data protection provisions, NAIH shall apply the sanctions proportionately. Primarily, it will issue a warning to the relevant data controller or data processor. This part of the amendment received relatively wide media attention with some misunderstanding. A few reporters mistakenly believed that NAIH will not issue a fine in case of the first breach of the GDPR and/or NAIH will not sanction SMEs. However, this is not the case. The GDPR does not allow local deviation on this. This is why the amendment contains the words "in particular” and “primarily” – these are only guidelines to NAIH, but are not obligatory.

Comprehensive amendment to the Info Act.

With the effect of 26 July 2018, the Hungarian Parliament amended the Info Act to ensure harmonisation with the GDPR.

The structure of the amended Info Act is as follows:

  • specific provisions which apply in addition to the GDPR, including procedural rules, matters concerning which the GDPR permits derogation or the application of national laws;
  • specific provisions which apply to data processing operations which fall outside the scope of the GDPR; and
  • implementation of EU Directive 2016/680 of the European Parliament and of the Council (Law Enforcement Directive) to govern data processing for law enforcement, national security and national defence purposes.

1.        Additional requirements for data processing necessary for compliance with a legal obligation or for public tasks 

Art. 6 1. c) and e) of the GDPR (Lawfulness of processing) enable data processing if (i) it is necessary for compliance with a legal obligation to which the controller is subject; or (ii) for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

The Info Act defines these kind of data processing operations as “mandatory data processing operations” and provides that organisations can rely only on laws and municipality decrees in these cases.

Such laws and municipality decrees shall define the following:

  • the identity of the data controller;
  • the purpose, term and conditions of the data processing;
  • the type of data;
  • the access rights to the data; and
  • when it is necessary to revise the data processing purpose.

If an organisation is processing personal data on the basis of legal instruments which are not laws or municipality decrees (e.g. governmental decrees, or decrees from a ministry or an authority like the Hungarian National Bank or the Hungarian Media and Infocommunications Authority), it may choose another legal basis (e.g. legitimate interests). However, this restrictive provision may be in conflict with Recital (41) of the GDPR: “where this Regulation refers to a legal basis or a legislative measure, this does not necessarily require a legislative act adopted by a parliament, without prejudice to requirements pursuant to the constitutional order of the Member State concerned.”

In case of “mandatory data processing operations”, data controllers shall periodically assess whether a particular data processing is necessary for achieving its purpose. The Info Act also addresses the case when the relevant law / municipality decree does not define the time for this. In such a case, the data controller shall revise the purpose itself at least every 3 years, calculated from the commencement of the processing. The data controller shall (i) document the circumstances and results of such revision; and (ii) keep such documentation for 10 years and present it to the Hungarian National Authority for Data Protection and Freedom of Information (“NAIH”) at its request. Data controllers shall revise pre-GDPR data processing operations on 25 May 2021 at the latest.

2.       Processing of personal data relating to criminal convictions and offences

The Info Act provides that data controllers can process personal data relating to criminal convictions and offences in accordance with the rules on the processing of special categories of personal data. The practical implication of the above is that companies may process such data mainly (i) based on the explicit consent of the individual; (ii) for carrying out the obligations and exercising specific rights in the field of employment and social security and social protection law; or (iii) for the establishment, exercise or defence of legal claims. Organisations shall revise the legal basis of their data processing operations accordingly. However, the practical application of the above rule is unclear, for example, there are huge debates if it is possible for employers to process moral certificates (erkölcsi bizonyítvány) under the new rules. Act I of 2012 on Hungarian Labour Code, which generally governs non-governmental employment relationships only permits the processing of personal data relating to criminal convictions and offences in case of certain work duties (especially education, supervision, care and treatment of children).

3.         Data protection rights of the deceased people

Until now, Hungarian law did not regulate the data protection rights pertaining to deceased people. Now the Info Act ensures that within five years of the death of an individual, the person designated by the individual – in an administrative declaration, public document or in a private document with full probative force – may exercise the data protection rights of the deceased. In the absence of such provision, the close relative of the deceased may exercise the right to rectification, as well as the right to object to the data processing, the right to be forgotten and the right to the restriction of the processing. Organisations should update their Subject Access Rights procedures to ensure that individuals can exercise the data protection rights pertaining to the deceased people as well.

4.         Other significant provisions in the Info Act

  • The Info Act established specific and permanent confidentiality obligation for DPOs. Organisations should revise the confidentiality clauses of the contracts with their DPOs to ensure harmonisation with the Info Act;
  • NAIH will convene and set the agenda of the “conference of data protection officers” each year. This conference shall serve as a regular interaction point between data protection officers and NAIH;
  • In accordance with the GDPR, organisations shall not register their data processing operations with the NAIH anymore. However, NAIH can verify the registrations made before 25 May 2018; therefore, it is advisable for companies to ensure that their practices and data protection notices are in line with the contents of their existing registrations at NAIH;
  • The Info Act does not provide for further significant deviations from the GDPR. For example, in relation to the offer of information society services directly to a child, the processing of the personal data of a child shall be lawful where the child is at least 16 years old.

If applicable: local derogations as permitted by GDPR

No derogations in the amendment to the Info Act.

In the case where NAIH states in its public communication that a specific type of data processing involves high risk and the data controller intends to perform the same or a similar activity, the data controller shall carry out a data protection impact assessment. NAIH also published on its webpage the open source software developed by the French Data Protection Authority (CNIL), which assists data controllers in the preparation of data protection impact assessments.

Scope

The Info Act applies to all kind of data processing operations, except to the processing of personal data by a natural person in the course of a purely personal or household activity. This is an addition to the GDPR, and covers manual data processing operations as well. (The GDPR applies only to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system).

The Info Act is applicable if:

  • the data controller’s (i) main establishment; or (ii) only place of business in the EU is in Hungary; or
  • the data processing operations of a data controller or its data processor are related to (i) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in Hungary; or (ii) the monitoring of the data subjects’ behaviour as far as their behaviour takes place within Hungary.

Penalties/enforcement

The provisions of the GDPR apply.

NAIH’s statement on imposing fines  

In Hungary, GDPR compliance is challenging for a wide range of SMEs. Pursuant to a specific provision in the Info Act, NAIH will usually warn a data controller or processor at the first infringement of the GDPR or local data protection laws in lieu of imposing a fine. Such a rule, however, only provides orientation to NAIH, which may also use other measures in case of a first breach, if it deems such measures necessary and fitting for the circumstances of the case. In the case of continuous breaches, NAIH may impose fines even on private persons, individual entrepreneurs or SMEs.

https://www.naih.hu/files/Adatved_allasfoglalas_NAIH-2018-4283-V-birsagkiszabas-szempontjai.pdf

Notable cases:

  • NAIH imposed a fine of HUF 1,500,000 (around EUR 5,000) on a company for failing to provide adequate privacy information to its customers when it registered their data in the company’s CRM database. The missing privacy information included the detailed list of all data processing purposes, and their legal basis.
  • NAIH imposed a fine of HUF 1,000,000 (around EUR 3,300) on a company because in a prize contest it used personal data in a way that it was not indicated in its privacy notice. Moreover, the privacy notice did not contain a precise list of the data processors involved, including the list of personal data accessible by them, for what term, and for what purpose (task). NAIH also noted that the company did not provide the opportunity for a separate consent for the transfer of personal data.
  • NAIH ordered a webshop to delete personal data collected for the purpose of sending direct marketing e-mails. On the website’s registration form, the ”yes” checkbox for consent to direct marketing e-mails was ticked in advance by default and did not require any action from the user besides proceeding with the registration. Hence, consent was not granted freely.
  • Data protection fine for hypermarket chain concerning CCTV operations. NAIH imposed a fine of HUF 15 million (EUR 50,000) on a major hypermarket operator with 6,535 employees for a data protection violation in connection with its CCTV operations. Triggered by an employee complaint, the authority investigated the company’s operations and ruled that its CCTV system was non-compliant with certain points of applicable data protection laws. This NAIH resolution is important for companies who are currently revising CCTV operations as part of GDPR compliance efforts since NAIH transparency expectations continue to be applicable also after 25 May 2018. https://www.naih.hu/files/NAIH-2018-412-H_hatarozat.pdf.
  • Data protection fine for a large telecoms company. NAIH imposed HUF 2,000,000 (approx. EUR 6,500) on a large telecoms company because it investigated and fulfilled the objection of a customer against the processing of his data for direct marketing purposes only after 6 six months. In addition, NAIH claimed that the customer did not have a real possibility to refuse the receiving receipt of direct marketing communications (e.g. the consent form was written in a declaratory langue), the company used a pre-ticked consent box, and did not provide detailed information on the data processing (e.g. proper list of data processed for direct marketing purposes). NAIH assumed that the company has breached the data protection rights of the other 1,869,000 customers who provided their consent in the same way (even if they did not complain about receiving direct marketing messages at all) and considered this as an aggravating factor in the fine. https://www.naih.hu/files/NAIH-2018-153-H_hatarozat.pdf
  • Debt collection and assignment of claims. NAIH focused on the data protection implications of debt collection and assignment of claims in a number of cases. Debt collectors and other companies engaged in the purchase and validation of debts often fail to inform debtors on the legal basis and other details of the processing of their data, as well as on the individuals’ data protection rights and remedies. NAIH confirmed in several cases that companies could transfer the personal data of debtors without their consent only in relation to the personal data regarding the actual debt. The processing of the personal data in relation to the enforcement of other costs (e.g. fees agreed between the lender and the debt enforcement company, such as debt enforcement costs and administrative charges for the debtor) are subject to the consent of the debtor. Data  minimisation is of utmost importance: in a particular case, NAIH found that the debtor's address should be eligible for contact purposes; the processing of his mobile phone number was excessive. https://www.naih.hu/files/Adatved_allasfoglalas_naih_2018_1748_V_tel_azonositas.pdf  
  • Data processing concerning smart meters. NAIH inspected the data protection aspects of the operation of smart meters. In this particular case, the utility company was processing data collected through smart meters to prevent the breach of contract by the subscribers, if the breach occurs not for the first time, or if it can cause, or caused significant damages to the company. The company verified the status of the smart meter in each within 15 minutes. NAIH emphasised the data minimisation principle and noted that the company did not provide proper reasoning how it determined the frequency of the verification. For example, why is it not sufficient to read verify the smart meter hourly? In addition, NAIH found that the company did not provide adequate data protection information on the operation of the smart meters in advance. https://www.naih.hu/files/Adatved_allasfoglalas_naih_2018_3428_V_okos_mero.pdf
  • Personal data breach management – accidental copy of customer data. In a case involving the investigation of a personal data breach, only a month before the applicability of the GDPR, NAIH further clarified its position on breach management. In the given case, an employee of a repairing service provider accidentally downloaded personal data from a client’s device. The retail service provider argued that even if its employee failed to act in line with the internal procedures, he neither made the data public nor transferred to any third party; therefore no personal data breach took place. NAIH ruled that the service provider’s unlawful access to personal data was indeed a personal data breach and the company failed to record it in its mandatory internal records on personal data breaches. In addition, the company failed to comply with the applicable data security provisions because its employee had the right to copy the customer’s personal data, store them for months, and accidentally copy them to a third party device. NAIH also highlighted that if companies to be accountable shall develop internal personal data breach detection procedures, they shall prepare for the actual breach management and shall regularly review and test such procedures. NAIH warned the internal data protection officer of the company as well because the DPO's internal communication was not specific enough (e.g. it did not suggest specific security measures to prevent similar cases in the future). In its resolution, NAIH also ordered the company to establish its internal communication in a way that employees advise the DPO of personal data breaches in due time, and NAIH also asked the company to send its updated internal procedures, instructions, training materials and employee notices to the authority for review. https://www.naih.hu/files/Adatved_jelentes_NAIH_2017_3107_8_V.pdf
  • Photocopying identity documents. NAIH underlined that organisations must accept the data contained in valid public documents without photocopying the relevant document – bearing in mind the authenticity and probative force of such documents. Without the specific authorisation of law, the preparation of photocopies would be unlawful even with the consent of the individual. https://www.naih.hu/files/Adatved_allasfoglalas_NAIH-2018-1140-felsooktatasi_okmany_masolas.pdf
  • Personal data of contact persons. NAIH confirmed that the contact details of a natural person contracting partner, or the contact details of a natural person contact at a company are personal data. https://www.naih.hu/files/NAIH_2018_3484_V_20180713.pdf
  • Necessity of internal data protection policies. Organisations can freely decide on adopting an internal data protection policy. Such policy can be necessary for the secure and transparent data processing, taking into account the data processing activity and all circumstances / risks involved. https://www.naih.hu/files/NAIH_2018_3484_V_20180713.pdf 

Registration / notification

Data controllers shall no longer register their data processing activities with NAIH with regard to the fact that each data controller and data processor will record its data processing activities internally in line with Article 30 of the GDPR.

Main obligations and processing requirements

The provisions of the GDPR apply, with the following specific local practice:

Information

  • NAIH guidance on privacy notices is stricter than the requirements of the Info Act and the GDPR. Privacy notices must contain detailed information on each processing purpose, with a full list of the relevant data, the legal basis of the processing in each case, the data retention period, and the people who may access the data.
  • Individuals must receive detailed information on their data protection rights and remedies, and the data security measures applied by the company.
  • The privacy notice must contain a full list of each data processor and data transferee, tasks regarding the data, and the term of their processing.
  • Organisations shall formulate their privacy notices in a language understandable to the affected persons. In case of an application also addressed to individuals living/residing in Hungary, the privacy notice of such application (also) shall be in Hungarian language. https://www.naih.hu/files/NAIH-2018-3878-allasfoglalas.pdf  

Consent

  • For employment-related data processing, NAIH considers that consent has a proper legal basis only if it provides benefits for employees. Otherwise, employers must rely on necessary for compliance with laws or legitimate interests as the legal basis for employee data processing.

Data subject rights

The provisions of the GDPR apply.

The Info Act provides that individuals can seek effective judicial remedy at the court when their data protection rights are infringed and without prejudice to any available administrative or non-judicial remedy. In Hungary, the competent court is the tribunal (törvényszék) at the domicile or habitual residence of the claimant. In addition to the payment of the individual’s direct and indirect damages, the court can also impose a general compensation fee for the infringement (sérelemdíj). The court can also publish its judgment with the identification of the data controller or the data processor if the infringement is affecting a large scale of individuals, the infringer is carrying out public tasks, or the gravity of the infringement requires the publication. The Info Act authorises NAIH to join any litigation to facilitate the winning of an individual.

Processing by third parties

The provisions of the GDPR apply.

Transfers out of country

The provisions of the GDPR apply.

Before 25 May 2018, data controllers had to keep an internal data transfer registry for the verification of the legitimacy of data transfers and for providing information to the data subject. The internal data transfer registry must contain the date, legal basis and addressee of the data transfer, together with the scope of the data transferred and any other data required by law.

Data Protection Officer

The provisions of the GDPR apply. Data controllers and data processors shall publish the contact details of their data protection officers and communicate them to NAIH through the Data Protection Officer Reporting System.

Security

The provisions of the GDPR apply.

Breach notification

The provisions of the GDPR apply. Data controllers shall notify personal data breaches to NAIH through the Personal Data Breach Reporting System. The reporting form is also available on NAIH’s website, if a company wants to report the breach on paper.

Bearing in mind that the language of the administrative procedures in Hungary is Hungarian, organisations shall report data breaches in Hungarian language to NAIH. https://www.naih.hu/files/NAIH-2018-2601-2-K.pdf

In line with the amended EU Directive 2002/58/EC, electronic communications service providers have specific mandatory data security breach notification obligations.

Before 25 May 2018, data controllers had to keep an internal register of data security breaches (“Internal Data Security Breach Register”). The register must contain the data affected, the scope and number of the people affected, the date, the circumstances, the effects of the breach, the measures taken to eliminate the breach, and any other data required by data protection laws.

Electronic communications service providers can fulfil these obligation by keeping the specific internal register required by electronic communications laws. The Internal Data Security Breach Register must also cover breaches by data processors. 

Direct marketing

Hungary operates an “opt-in” regime.

Advertisements may be sent to private individual end-users in Hungary by e-mail or similar electronic channels only with the express prior consent of the addressee.

Consents for individual marketing activities must contain the name, place and date of birth (if the marketing can be targeted only for people above a certain age), and the list of the consumer’s personal data which are processed in relation to the marketing.

Consent must also state that it is provided voluntarily, on the basis of adequate information provided to the consumer.

In all cases, end-users must be expressly informed in all individual marketing communications of the opportunity to freely opt-out of the communications and be given the relevant contact details (postal and e-mail address) where they can do so. This statement is usually inserted in the footer of the marketing communications.

If the consent is provided in a contract or in general terms, it must be provided separately from the main text – e.g. via the acceptance of a separate consent box. It cannot be a precondition to the contracting or receipt of a service, such as a webshop.

If the advertiser offers added value, provided that the addressee consents to receiving direct marketing messages, no separate consent box may be needed – e.g. if the addressee is given the opportunity to participate in a game or use free e-mail services.

The direct mail message is lawful if the private individual addressee is an employee of a legal entity and the advertiser obtained the contact details lawfully (e.g. via the company's website or public sources), and the advertisement is targeted to the company.

In all cases, an internal register must be kept of the persons who provided opt-in consent for individual marketing activities. This register must include the addressee’s name, birth place and date of birth.

Direct marketing consents for benefits. According to NAIH, when organisations provide some benefit for subscribing to a newsletter, they must assess on a case-by-case basis how such benefit influences the free nature of the consent. In particular, it is important to examine whether the denial or withdrawal of consent (e.g. opt-out) causes any disadvantage for the individual. The provision of a service or a benefit shall not be conditional on a consent to data processing for additional purposes (e.g. direct marketing). Such practice is allowed only if the benefit is inseparable from the newsletter, e.g. the newsletter contains an exclusive content or offer.

https://www.naih.hu/files/NAIH_2018_3581.pdf

Cookies

The storing of information, or the gaining of access to information already stored, in the electronic communications terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, including information on the purpose of the data processing.

Note: this does not prevent any technical storage or access for the sole purpose of carrying out the transfer of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

Cookie notices must contain:

  • the cookie’s name, type, function, purpose, necessity and lifespan
  • the data the cookie can access
  • third parties for whom the cookie collects data and the purpose of such collection

a link on how to find the cookie management menu and the functions in the most commonly used browsers (Mozilla, Firefox, Google Chrome, Internet Explorer).

Cookies and GDPR

NAIH gave a detailed opinion on the legal basis of data processing pertaining to cookies.

a.    The website operator may process the relevant personal data on the basis of its legitimate interests, without the consent from the users, when the placement of the cookies or any server-side IP address logging solely takes place for the purpose of the operation of the website, in order to ensure its operability or its essential functions, as well as the security of the computer system. The consent of the user for the cookie placement may be required when it is possible to use the webpage the cookie.

b.    The usage of cookies for statistical purposes (e.g. collecting technical data which are not necessary for the ongoing operation or required only for the future development of a service or for visitor counting, etc.), as well as for marketing purposes (following the user linked to advertisements, etc.), the website operator may rely on its legitimate interests for the data processing only in exceptional cases. The website operator may rely on legitimate interest, for example, where there is a relevant and appropriate relationship between the user and the operator (e.g. the user is an existing customer). In case of third party cookies, usually there is no such relationship.

c.    Website operators must differentiate between first party cookies (applied for statistical or development purposes) and marketing cookies, bearing in mind that the user may want to consent to one of the cookies, but does not intend to provide consent to the other one. Bundling such consents may lead to unlawful data processing.

https://www.naih.hu/files/NAIH_2018_3567_V_20180713.pdf

Useful links

 

Cyber Security

Last updated 10 October 2018

Risk scale

Laws and regulations

  • Act No. L/2013 on the Electronic Information Security of National and Self-Governmental Organisations (Electronic Information Security Act)
  • Act No. CLXVI/2012 on the Identification, Designation and Protection of Critical Systems and Infrastructure (Critical Infrastructures Act)
  • Government decree No. 65/2013 on the Execution of the Critical Infrastructures Act (Critical Infrastructures Government Decree)
  • Government decree No. 249/2017 the Identification, Designation and Protection of Critical Systems and Infrastructures in the Infocommunications Sector (Infocommunications Sector Government Decree) (entry into force: 4 March 2018)
  • Act No. CVIII/2001 on Electronic Commerce and Information Society Services (E-Commerce Act)

Anticipated changes to law

Implementation of the EU NIS Directive is ongoing. Cybersecurity obligations for service providers: the new Government Decree No 410/2017 on service providers with reporting obligations (Cybersecurity Reporting Decree) identifies certain service providers with reporting obligation concerning cybersecurity. Such providers include cloud-service providers with a seat in Hungary. Apart from reporting and electronic registration, the Reporting Obligation Decree sets out a number of other obligations for the relevant service providers, including the preparation and yearly revision of risk assessment, reporting of security events and cooperation with the authority, as well as the preparation of measures to eliminate such events. Currently, international cloud service providers who are also operating in Hungary have some difficulties in interpreting whether they fall under the Cybersecurity Reporting Decree. The seat – in accordance with the NIS Directive – means the main establishment, which is the place where the provider has its head office in the EU. The “establishment” implies effective and real exercise of activity. Whether it is a branch or a subsidiary is not a decisive factor.

New Cybersecurity Strategy. The Hungarian government is currently working on a new National Cybersecurity Strategy, which is expected to be revealed later this year.

Application

  • The Electronic Information Security Act sets out security obligations for national and self-governmental organisations, and for entities performing data processing for those organisations and for data processors of national registers.
  • The Critical Infrastructures Act identifies national and European system components with key sectoral importance and sets out designation rules and safety obligations.
  • The government decree No. 249/2017 specifies obligations for the infocommunications sector. It will enter into force on 4 March 2018.
  • The E-Commerce Act sets out obligations for electronic services providers, including security obligations and the guarantee of consumer rights by technical means.

Cybersecurity registration obligations

The National Directorate General for Disaster Management of the Ministry of the Interior (in Hungarian: “Belügyminisztérium Országos Katasztrófavédelmi Főigazgatósága”) recently issued requests to those digital service providers, which omitted to register until 8 August 2018 under the Cybersecurity Reporting Decree. The Directorate also expects webshop operators to register and comply with the provisions of the Cybersecurity Reporting Decree, bearing in mind that they are “online marketplaces”, i.e. a sub-category of digital service providers. 

In the registration form, digital service providers may provide the contact data of other entities, which contribute to the service provided by the registering digital service provider. Such contributors do not need to be digital service providers themselves or have a Hungarian seat. The reason for providing such contact data is to assist the digital service provider in case of a security incident and to more efficiently resolve it. 

Besides the above, until 10 May 2019 (one year calculated from the entry into force of the Cybersecurity Reporting Decree), the digital service providers with a seat in Hungary and not falling into the scope of micro and small enterprises, shall further

  • prepare a risk assessment, which covers: a) the security of networks, information systems, and facilities, b) security incident handling, and c) ensuring business continuity;
  • introduce and apply security measures proportionate to the risks identified by the risk assessment.

Every digital service provider and their partners contributing to such services (e.g. partners providing IT support) shall asses the steps necessary for complying with the Cybersecurity Reporting Decree and to set up a clear procedure on dealing with security incidents also in accordance with their in-house data breach management procedure. (Security incidents often overlap with data breaches and there are also occasions, when it is quite challenging to differentiate between a security incident and a data breach.)

Authority

Cybersecurity duties of organisations under the Electronic Information Security Act:

  • National Cyber Security Centre (Nemzeti Kibervédelmi Intézet)
  • National Directorate General for Disaster Management of the Ministry of the Interior (in Hungarian: “Belügyminisztérium Országos Katasztrófavédelmi Főigazgatósága”)

Sectoral designation authority for infocommunications services in line with the Infocommunications Sector

Government Decree:

  • National Media and Communications Authority – NMHH (Nemzeti Média és Hírközlési Hatóság). Effective from March 2018.

Concerning electronic service providers:

  • NMHH and the Hungarian Authority for Consumer Protection (HACP), the consumer protection authority

Key obligations

Electronic Information Security Act

  • Appoint a security officer.
  • Report the data of the organisation to the authority (National Cyber Security Centre).
  • Classify the organisation into a specific security level. Iss Critical Infrastructures Act
  • Designation of critical infrastructure in administrative procedure.

E-Commerce Act

  • Specified electronic service providers – search engine, online market and cloud service providers – must maintain data security measures and report any security event to the Governmental Incident Response Team (Kormányzati Eseménykezelő Központ – GovCERT Hungary). Effective from May 2018.
  • use an information security policy.

Penalties/enforcement

  • Critical Infrastructures Government Decree – fine of up to HUF 5,000,000 (approx. EUR 16,000)
  • Critical infrastructure in the infocommunications sector – fine to be specified at a later stage.
  • E-Commerce Act – penalties to be specified at a later stage

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

Yes. GovCERT Hungary

Is there a national incident management structure for responding to cybersecurity incidents?

Yes. GovCERT Hungary accepts incident reports 24 hours a day. Reporting by e-mail is strongly encouraged ([email protected]).

Other cybersecurity initiatives

The revision of Hungary’s cyber security strategy is in process. The new strategy may be prepared by the end of 2018.

Useful links

 

< back to Overview 

Authors

Picture of Dora Petranyi
Dóra Petrányi
Partner
Budapest
Picture of Marton Domokos
Márton Domokos
Co-ordinator of the CEE Data Protection Practice, CMNO
Budapest